Working in IT/tech for school district is the worst. My experience from many years ago - around 2002, I think:
1. First day on the job, email to boss: "Hey, the computer lab at Springfield High has a ton of known security flaws that are begging to be exploited."
2. Reply, 1 week later: "Sorry, we don't have any money for that. Just keep everything up-and-running."
3. 3 weeks later the computer lab at Springfield High got "hacked". All the computers displayed a popup window that said, "Miss Krabappel is a dyke!" (sorry for the offensive language)
4. Next day, email from boss: "The computer lab at Springfield High was hacked! Figure out how to fix this and make sure it doesn't happen again!"
5. A few days later Miss Krabappel filed to sue the school district. The local newspaper picked up the story.
6. Email from boss, in full panic mode: "I need you to figure out who hacked the computer lab at Springfield High so we can report him to the police!"
7. A week later an independent consulting firm was brought in to help identify the person behind the "hack". I heard they were paid $50K and found nothing. However, the kid got ratted out when he told all his friends. (It wasn't Bart Simpson! ;) )
8. Several weeks later: meeting to discuss working with a consulting firm that's gonna fix all the security issues because the current staff (me and my team) lacks the skills.
I 'worked' for my own high school's IT dept, a few hours a week, as a student. It was an amazing experience working with those guys. I learned so many things, from how to punch, terminate, and run cables to how to set up a Ghost image and deploy it en masse across the district.
One day one of the old macs was showing the frowny face in a in-session classroom. Boss sent me down there with specific instructions: "pull out the hard drive and beat it really hard with the handle of this screwdriver". I was like: "?" and he was like, "just do it".
So I go down there and let myself in, trying not to interrupt the class. I climb behind the computer on a cart and pull out the HD. I beat it with the handle, like a good 10 times. Of course this got the class all riled up. I blushed, but told them this was normal operating procedure. Plug it back in and it works. I was (secretly) as amazed as everyone else in the class.
Back in the IT office, I say it worked. IT boss smiles and nods. I ask how. Well as it turns out some of those old hard drives used a vegetable oil based lube that seizes up if it's not used for a while. So if you bash it it un-seizes and starts turning again.
Anyway great times, fun memories. We all got our CompTIA A+ certifications at the end, but don't ask me what IRQ number is for the parallel port these days.
> ...pull out the HD. I beat it with the handle, like a good 10 times...
Heh. Nice.
A coworker's Mac wouldn't boot. I couldn't hear the hard drive. It was a model with the tip of the spindle exposed. I found a pencil with a gummy eraser. Gave the spindle a twist as I turned the power on.
Told the amazed user, "Do not turn off your computer until after you have backed up your data. That probably won't work twice."
Had a similar experience with the external HDD of a friend of a friend.
HDD wouldn't be recognized, sticking my ear to it i could only hear the motor emit a beep-like sound, no spin up.
Her masters thesis on it, inaccessible, i've opened up the case, removed the HDD, unscrewed the top and there was the drive arm, stuck in the mid of the platters...
Took a Torx screwdriver, turned the platters backwards and unstuck the drive arm...
Copied all data off of it and sent here to the nearest computer hardware store to get another drive...
Just for the sake of clarification, where was the Torx screw located? The spindle axis or the drive arm axis? (Or somewhere else?) And how did you unstick the drive arm without allowing the head to contact platters? Just trying to visualize, and failing badly.
iirc, that was on the spindle axis - i only was gently pushing the drive arm near its supporting point to avoid it touching the platters (chances are i did make it touch the platters)...
Mind you, this was not in a clean room and i tried to be as quick as possible to not allow too much dust into the case..
More likely an armature rather than a platter. Violence also worked when the drive would get stuck on a bad sector. Bashing the drive horizontally, while it was on, would sometimes move the arm enough for the drive to reacquire and hopefully not hit the same error on the next read attempt.
A few years ago a friend ran a camera shop. From time to time someone would come in with an SLR that wouldn't behave (long exposure, no exposure, nothing in viewfinder). He'd take it, tell them to go away and come back in an hour, then hit it on a telephone directory. 9 times out of 10 that would free the stuck/sticking mirror and everything would be fine. He had to tell the customer to go away, though, so they didn't get agitated seeing him bash their expensive SLR around
I did similar violence to my old HDD-based iPod. One day it just made a chugga chugga noise. Meaning the HDD was dead. In researching how to recover some music a forum member mentioned dropping it really hard. So I slammed it into my desk and terrified the office. And it continued working for the next few years.
"stiction". Well known in the Apple community in the ... late 80's/early 90's, IIRC? I want to say I remember some official Apple documentation saying to drop the machine from a few inches up in the air, but I may be misremembering.
Are you me?! This basically was my experience working for a very large school district in the early 2000's. My favorite was they asked me to train a school bus driver to be the newest member of the IT staff because "they wanted to learn computers", it also just so happened that this person was the only person their budget could afford (less than 40k/year).
I worked for them as a contractor for a while and one of the big issues they had was they had tons of money to implement new technology (mostly from grants and things like that), but nearly nothing to maintain old tech. They could buy new computers all day long, but if something needed to be repaired/updated/maintained, there was no budget or resources to do it. So there were all sorts of fun issues, like they would buy computers and before they could get deployed their warranty would expire (since they weren't allowed to buy 3 year warranties on the computers) and computers with bad HDDs would get disposed of, even though the fix might be $50 and 10 minutes of time.
That’s hilarious, at a small school our bus driver was the local it admin… 7 minutes of rainbow tables with ophcrack live cd was all it took to become domain admin.. never changed it for all 4 years lol.
The IT in my district was so bad the students basically ran it for my middle and high school. We did all the desktop repairs and component swaps for free. I don't even think we had an "IT guy." This was 2009-2014 for me.
On the bright side, we got comfortable with computers and ended up building our own little projects (in and outside of school). In 10th grade we souped up one of the engineering lab computers by consolidating a bunch of old graphics cards and played games on it, lol.
That's funny, I worked for a school district about 10 years ago and our IT director was also the transportation director. He knew nothing about IT but I guess they had to give the role to someone at one point and it was him. I think I lasted 2 years before finding my current job.
I've had an internship once at a chain of elementary schools, the main IT guy(s) at those schools were regular teachers that had computers as a hobby. I came in with a few years of school, doing some maintenance, installing some printers (really satisfying with the stick-on stuff), fiddling with the server (a workstation in a broom closet), and playing runescape / internetting in the dark, warm server room at the other location away from the main IT guy.
When I was a teacher my school IT was run as a petty fiefdom. I don’t know if it was outright maliciousness, or just extreme anxiety from the IT team lead about job security, but they were universally derided amongst staff (including some senior managers I knew) as being terrible to work with.
If I wanted to do something I would be told that there weren’t the resources. If I volunteered to be those resources — in my spare time! — I would be told it’s against policy. If I asked if we could revisit the policy I would be told I was welcome to ask the IT committee (closed door meetings, unminuted) to consider it for their agenda. Time passes. Proposal rejected.
I gave myself one term to see if we could find a working relationship. It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket. I felt like an asshole but at some point you’ve just got to move on, especially if your end goal is improving teaching and learning for the pupils.
> It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket.
In my one experience in a university, this how it’s done. Just set you own stuff up, hope you aren’t discovered and ideally have a friend high up the ranks.
> I don’t know if it was outright maliciousness, or just extreme anxiety from the IT team lead about job security
It's probably anxiety about job security/being overworked rather than maliciousness, but it could be both. It is made more complex by the likelihood that the position pays far less than comparable positions pay elsewhere. This causes the district to hire whatever candidate they can get to take the job. The outcome of that works out one of two ways: (a) the employee leaves as soon as they have enough experience to be paid more to do less work by someone else or (b) the employee stays knowing nobody else will hire them and makes sure to only hire other people who know less than they do.
> If I wanted to do something, I would be told that there weren't the resources.
You were told correctly, but probably not told just how bad it is. If it works like it worked for folks I know in similar situations, 80% of the job -- regardless of what you were hired in for or what your title is -- is fixing things that teachers/administration broke or didn't know how to use correctly. Tell them the laptop is for school business only until you're blue in the face, they'll visit every web site offering Flash games, some will surf porn sites riddled with malware and if your IT guy doesn't have a mental breakdown by then, the only thing they're spending the rest of the 20% of time on is blocking teachers/non-IT staff from doing things that they've been told, clearly, not to do. The rest is spent locking things down or softening security policies to keep teachers/non-IT staff from taking more of that 80% time.
> [Volunteering my time] is against policy.
It could be against policy, but that's probably just an excuse being used because it's effective at shutting down the request. There's a very good reason to say "no" in the IT person's mind: your volunteering will still involve their time, and if you're not as capable as you claim to be, it'll involve a lot of their time. If you're one of their users and you're claiming to know a lot about IT, you're more likely to be seen as "someone who knows enough to be dangerous"--the worst kind of user. Even if they believe you, they're confronted with the reality that you deploying/using this new "unapproved thing", will cause others to ask for it -- another teacher/staff member will want it and at some point that IT person is going to end up having to deploy it, patch it, fix it, and maintain it. You'll find this thinking prevalent in most IT support organizations -- the camel can barely walk so it's easier to say "No" and hopefully keep it that way than say "yes" and add enough load to the break its back.
> I gave myself one term to see if we could find a working relationship.
I feel your pain. I'm not sure what you've tried and you could very well have just run into a BOFH but assuming this IT person is typical of those I've worked with when I did this work, there are some options. You may have tried these -- it's not meant as "well, you obviously approached this all wrong" but rather advice for others on what I have personally seen work (and had work on me when I did this sort of work, albeit a long time ago).
For anyone in a similar situation, there are a few ways to "hack your IT person". It's nothing magical and can be applied well beyond IT folks, but I'm aiming at folks in this conundrum. While I've not worked for a school district, I spent the first 10 years of my career in several levels of support/systems and ultimately architecture with the first few being similar to the whole "small IT with too many users who hate IT[2]". First, understand what their motivation is -- less support, more time to improve/architect (or play WoW ;) ...). If you have the expertise, approach that person and "talk shop" -- don't reveal that you "have skills", just ask a question or two in an area that teachers/staff often know little about, or go with a simple "I wouldn't do what you do ... all these teachers, many of whom haven't touched a keyboard that wasn't on their phone since 2010 or so ... it's got to be hell". If you can get them to tell a "war story" or two you'll probably find a few opportunities to say something that will reveal that you have somewhat of a clue what you're talking about. Do this outside of work, on their schedule -- Happy Hour or off-site lunch (not often possible during the school day due to time).
If things go well, say something like "I can't imagine how you get anything done with such a computer illiterate staff to babysit (aligning yourself with IT over said staff) ... I'm happy to help out anywhere I can if you can think of something I can do to reduce that grief[0]" This IT person spends their work life dealing mostly with people who are unhappy about things that are broken and the staff they support place blame for those breakages, not the resolution, at their feet[1].
You're now in the magical role of "the teacher who believes IT isn't incompetent." If you are received well, make your ask. Make it very limited -- if you need to be an admin of your laptop, insist that it be temporary and that you'll call the IT person when you are done (offer to let them watch if they want. They won't). Insist that you'll not let people know IT made an exception and will provide the required excuse if someone notices you're running something they can't: usually "IT doesn't know about it" is settled on. Maybe it's something you want every teacher to have -- don't dare explain that, and if you have to, outright lie: "I'm not interested in seeing the district adopt this, I just want to use it myself." You're not shooting your grand plans in the foot, you're giving yourself time to provide hard facts/evidence to make the case that it should be deployed. If it works out well, start planting the seeds with your IT person: "I really love this application, thanks for letting me use it on my school laptop ... what do you think the support overhead for something like this would be if every teacher had it?" ... listen to their concerns, find answers to each of them, revisit the topic. Your IT person is used to management (administration in schools) saying "this is what we need on every PC" without care for what amount of work/grief IT will deal with to sort it out. Administration doesn't care about IT griping very much -- it's seen as IT, "yet, again", complaining about having to "do work" and treating completely reasonable (in their minds) requests as though they're equivalent to scaling Mount Everest. If you have the data from your unofficial pilot to back you up, and the right person in IT (at least) not working against you, and other financial considerations/contracts aren't in the way, you'll be successful. If you're successful and your project works, the next time you may not have to ask at all.
Your IT person makes just as many judgements about you and their users as they make about IT but there's a lot more of you than their are IT folks. Having an ally/expert among the "clueless users" has a much higher value to your IT person than having that person as your ally does for you, even if it doesn't seem that way[1--(again)].
[0] How much time is IT spending doing "Help Desk" kind of support for everyone outside of IT (regardless of title/responsibilities the IT person was hired in for)? It's probably 80% "User Support" and 20% "everything else" which means all of the effort put into "everything else" centers around reducing how often teachers have to take time away from IT. Your offer, if its trusted, will reduce that burden at no cost to the IT person. Don't make that promise if you're not willing to do it, but it's unlikely anything will be asked of you.
[1] In the "Game of IT Support" (or it's variants: "The Game of Network Security Administration", etc), you can never have a score greater than "Zero". Zero is "everything works". When something breaks, you lose points. When you fix it, you gain points up to (but not always) your top score of "Zero". Roll out massive new infrastructure for WiFi? You're at Zero (or less since it probably won't work as conveniently as it does at home). You're an expense who's purpose it is to make things operate the way everyone expects they're designed/intended/meant to work. They also expect that you (IT) shouldn't be necessary -- these things should just work like my router/PC/internet service at home works and shouldn't require so much "policy" to "avoid doing things".
[2] While I was still living with my parents, my neighbor referred me to the IT job -- he was in Development. I'll never forget when my Dad called me up asking "why is IT (where I worked) at (company) so bad?" after listening to my neighbor berate my company's IT operations teams (never me, specifically). We were so hated. By everyone, especially non-Support IT. That was an impossible conversation to have.
When I engaged in `net send` shenanigans at the local community college, at least the IT staff was smart enough to know where to scramble a runner whenever those dialog boxes popped up across campus.
"ALL YOUR BASE ARE BELONG TO US" was quite the meme then, but apparently they thought it was some form of cyber-terrorism.
That's the only proper response, really. You love to see it.
I'll never understand braindead school administrators whose response is "throw the entire CFAA book at them" for kids who do the most harmless sort of "hacking". I mean, they're literally 16-year-olds. How disconnected from reality does one have to be to think that police/legal action is appropriate for this type of stuff? It's like they're specifically trying to ruin lives and create criminals/blackhats.
Edit: And something I remembered while scrolling this thread... it's particularly disappointing when it's the actual IT staff who get mad and threaten to press charges. Like, sure, if it's a 60-year-old secretary who's worried about you starting WWIII by whistling into a payphone, that's just ignorance, that's one thing. But IT people ought to know enough about security/"hacking" to see how ridiculous they're being... just sad.
> How disconnected from reality does one have to be to think that police/legal action is appropriate for this type of stuff?
They don't ask that. They just want their computers to always magically work and having to dedicate mental resources to events in IT at all is an intrusion to their time - to them, throwing CFAA at them is "setting an example".
I haven’t thought of net send in years. Circa 2000 I worked at Cisco and added some javascript to my profile in the corporate directory that sent me a net send message with the hostname of the computer that viewed my profile. At that time the hostname usually included the employees username, so I had a nice heads up that somebody was looking me up.
I should have left it at that, but Ingot cheeky and also did a net send back to the origin saying something like “thanks for your interest in onionisafruit”. That got escalated and I was threatened with disciplinary action. It didn’t occur to IT that they shouldn’t allow arbitrary script tags in user profiles. The best response was just to threaten the people who were creative with what they were given.
I don’t remember the details, but based on my skill level I know it wasn’t anything novel. At the time I was learning my first programming language, Perl. IIRC I had a Perl daemon running on my computer that accepted an http request, did a reverse dns on the origin and sent the hostname in a net send message. Some of my coworkers used Sun workstations. I could get notifications from them but obviously couldn’t send them a net send message in response.
IE supported vbscript, though I don't know how far back that goes. You can certainly run arbitrary commands from jscript or vbscript using an hta app (or wscript)
When I had my net send fun back in school, an IT guy found me and just explained that if it becomes a recurring thing, they'll have to disable it on the network. And that they would prefer to keep the functionality available, so it would be a real shame if I ruined that for them. I never did another one, because I understood it would be a dick move.
No condescension, no threats. Just treating me like an adult with a constructive conversation. It never occurred that anyone might overreact like many in this thread experienced. Makes me feel pretty fortunate now.
O mannn I was suspended from HS, and banned for 2 years from touching school computers for net send shenanigans as I wasn't smart enough to cloak the originating workstation.
My message to every single computer in our HS:
"Hey what's up!"
my friend added to this:
"Your network (H:/) drive is being deleted."
School administrators and teachers did not find this funny.
About a year after the college prank, I was recounting the incident to a helpdesk coworker on a relatively quiet Saturday. He refused to believe that "net send" even existed, and dared me to do it. So I did, the content of that message being a rather tame "This is a test message, press OK to close."
He was on phones, got about twenty calls including one from a VP - with even more popping in throughout the following week as people returned to workstations to see the dialog. We were able to play it off as "testing the network" (not wrong I suppose), but our manager was a responsible sort and had it blocked with a group policy shortly after.
What year was this? I remember a time in the mid 90s (c. 1996?) when Novel had just upgraded to "intranetware" and all the computers had fancy "web browsers" which was fun, there was a 64k ISDN for the computer suite (we actually had two, but the other was RM Nimbus machines which could just about run netwars). This was in the UK
I changed the homepage to a webpage which redirected to file://c:/con/con (which for those who don't know caused a windows BSOD at the time).
IT teacher thought it was hilarious, used it as part of the lesson about how computers can be broken into, and told everyone "ok we've seen that, don't do it again".
Another time I remember writing a simple program, probably in qbasic, which captured passwords to a file. It only wrote a the first 4 or so letters to the file - showed what we could do, had a little fun, tricked the teacher into logging in, and then told him "ha ha".
As long as you came up with creative things (not just copying others, which is tedious), which didn't cause too much disruption (no deleting files), and stopped doing it once you proved it could be done, you were fine.
Networked IT was new and exciting then though, to the students and the teachers. A few years earlier and it was all BBC Micros, a few years later and everyone was on the internet and trying to install backorifice, but for a brief moment well meaning harmless (for a teenager) curiosity was rewarded.
> and banned for 2 years from touching school computers for net send shenanigans
Ha, yeah I got banned for using net send as an IM app with friends too. There were a couple of us in my school who were skilled, enthusiastic programmers - it is kinda stupid that the punishment they decided on was to prevent us from being educated :-/
Wow, almost the exact same thing happened to me and I was thrown out of that school, mainly for using another students account to send the base message.
School districts absolutely love consultants. Because they have to make difficult decisions, and they can hide behind a consultant. Its part of the bureaucracy survival suite.
They always have the money. They just don't care about doing things properly. It simply isn't a priority for them.
Makes me feel good when someone comes and exploits their negligence. It's like divine retribution and they're doing god's work. They tempt fate and the gods punish them by making them pay more than they would have paid had they done things right. Amazing.
They don't personally pay. But they still have to balance the budget, and the more that's spent to help with gentrification of the surrounding area (such as via nice football fields, good teachers/a good greatschools rating, well-kept grounds and events) can help lead to increased future funding and thus a bigger paycheck, at least within 5-25 years.
I got two Saturday detentions for finding that same tool (also ~2002) - though I just typed “Hi” and hit send - to everyone on the school network.
I of course didn’t really know what I was doing. Looking back, this was a very strange punishment. Jokes on them I guess - left Oklahoma after HS and am now a software engineer in the Bay Area.
If only we could have reframed our approach to these situations.
Provided what was sent/defaced/etc wasn't hate speech or punching down on someone else, we should have really used these events as flags for identifying kids who could hone their computer skills into something "productive".
This is not unique to school districts at all, but any organisation, large or small, that treats IT/tech only as a necessary inconvenience, instead of an actual part of the org deserving of resources, planning, and people.
If you work in tech/IT, and the big bosses consider you and your org disparagingly, leave immediately. Something bad will happen with their IT, and you will be blamed, hassled, and harrassed for it.
People respond to incentives, and "fast-to-react" is easier to measure than "wisely proactive" in at least two ways. First, the risk is no longer theoretical; the damage was measured. Second, the fix is easy to measure: spend $X dollars on Y firm on date Z. This is all nice, easy to understand evidence of a manager doing their job.
Alternatively, you have staff pointing out a possible flaw. That staff's time was already allocated; their noticing a flaw is a) taking time away from their allocation, and b) tacitly critical of decisions made above their pay grade. And even if they are right, the manager won't get credit for prevention, and in fact will get punished for "wasting" resources in an ad hoc way, rather than what they were acquired for.
It is depressing in the extreme to work for such an organization, and you were right to quit, because over time these perverse incentives will start to shape you whether you like it or not. The very idea of owning your work, of caring about real-world outcomes, becomes anathema as a matter of survival. You have to exist, along with your org, in a checking-the-boxes, don't-notice-what-you-aren't-paid-to-notice, mode. It's safe and comfortable for the body; it is deadly to the soul.
I loved working IT for a school district. My favorite memory/story is the time a woman called the cops on me for talking on my cellphone in the parking lot. lol
My first thought: Your district had an IT department? I guess that's probably more common now than when I went to HS in the 90s but I'm fairly certain IT duties are still farmed out to a small business for the districts I live near.
Outside of that, though, I've talked to folks who worked in IT at a nearby hospital[0] and knew several who worked in IT at a University a town over and heard variations of your story. After ransomware hit a few hospitals across the country, my hope is that this is less common but I'd be surprised if anything is meaningfully better.
The problem with getting non-technical people to understand the importance of securing things is that they assume that everything provides a basic level of security. They read about hacks/attacks and hear about them on the news but they have probably not experienced one, personally[1]. They apply physical security considerations to the virtual world -- for instance, the keys you use to lock your front door are almost certainly terrible[2] but requiring physical access to the lock makes attacks on them rare. And that's the rub, it's the mistake in thinking that "Nobody cares about my stuff enough to hack me" which is the evidence used to justify the "it's never going to happen to me". It's a failure to understand that even if it were true that an attacker would literally have no use for anything you're protecting with a password (which is absolutely false -- your identity is enough) that another target will be chosen ahead of you[3]. On the internet, every target can be attacked at once, silently, from a distance and targets are chosen based on whether or not the attack succeeds.
In a High School, you can fully expect there's at least one of me in every graduating class. I'm surprised things like this don't happen all the time given how little attention is paid to network security/endpoint security in these places. No amount of threats of expulsion, legal action, etc will serve to help when your attackers are High School students[4]. The same part of their brain that makes them believe they're immortal/causes irresponsible behavior early-on in driving causes them to not understand the real probability that they will face criminal charges which is coupled with them not fully understanding how badly those criminal charges will affect the rest of their lives.
[0] The discussion arose after he had watched Season 1 of Mr. Robot and said "that's exactly how it is here except we have a (technical) staff of two rather than one"
[1] I can't tell you how many extended family members have shared that they still use a single password for every account and in a few cases, that password might as well be a variation of "Password".
[2] I have a close friend who learned how to pick locks as a hobby; he filed me off a bump key and taught me how to use it, whacking it with a branch of a tree; I was able to open my supposedly "extra secure" dead bolt pretty consistently with about 15 minutes of practice, he's picked each of my locks at one time or another.
[3] The old "You can't outrun the bear, but if you and your friend are being chased by the same bear, you only need to outrun your friend".
[4] I used to tell my kids that our High School not only had no doors in the stalls of the mens room, there had never been any doors designed into the plan. The partitions were brick, there were no holes, anywhere, where doors had been removed. I figured this was to make it easier to catch kids smoking but while fixing his PC, I asked the principal about it. His answer was "vandalism" -- students would rip them out. Reallt?! I couldn't imagine this. Fast forward to this year, the doors on the stalls at my kid's HS were ripped out by students during the first week of class. The kids were caught, criminally charged and had to pay for the damage. Their reason? They saw someone do it on TikTok and didn't think they'd get caught (there are 2 dome cameras at the entry to each bathroom!). Despite paying for the damage, the doors are not coming back this year -- I'd wager they'll never come back.
Reminds of me my school leaving prank. I rewrote the whole internet on my school's computers. Google's logo became "Leavers '08", Facebook became "Hatebook" and was red, YouTube only played videos of cats, amongst other things.
These were the days when nothing had SSL, so you could just intercept and rewrite traffic!
My only requirement was: do no actual damage
It was implemented as a Debian live CD that you could drop into any school computer. It would boot up, then Ettercap would MITM the whole network by spoofing the router. It routed all HTTP traffic via Squid and a custom ICAP server that did the actual rewriting. If you removed the live CDs, the network just went back to normal within a couple of minutes.
Routing the whole school's network through one old Pentium machine wouldn't work though, so I figured out a way of doing distributed load balancing: it would do the ARP spoofing slowly and randomly. So, as you added more machines, it would just magically balance between them.
It worked great for about an hour then whole network mysteriously stopped working for the rest of the day. I left all the live CDs in the computers as a calling card.
Unless you had a special case for the hijacking machines to ignore the spoofed ARPs, the whole thing probably fell apart when they ended up with a loop between each other rather than a path to the real gateway.
Oh, yeah. That's a very good point. That's probably why it stopped working. I always thought the network admins pulled the plug assuming they'd been hacked.
Would it have needed leader election though? It's a stateless system. It might have been enough to ignore spoofed ARP replies, or to not attack machines of its own kind.
Yeah, even in state systems, i think some sort of gossip protocol could work as long as the part of the state is being decided on is not in contention with another nodes response during a round of sampling.
Used to be that Windows allowed programs to hook into each others’ event busses. (It might still, I’m not sure.) This might be why a few of my Highschool’s computers would interpret every 5th right click in minesweeper as a left click
I ran into a fun bug in W10 where my arrow keys were moving the mouse cursor around. Turns out MS Paint does this as a feature and somehow it leaked beyond Paint.
Yup, you can still do that. AutoHotkey is a wonderful tool for this. You can intercept input events globally, and transform them or send completely different events to the target app.
For example, I use AutoHotkey to implement my JKLmouse program, which turns certain keyboard events into mouse movement for precise control. It's similar to the MouseKeys that comes with Windows, but made for laptop keyboards without numeric keypads.
And yes, you could definitely do that Minesweeper hack in AutoHotkey! :-)
Would you mind sharing that script? I have been looking for something simmiliar, but didn't find anything that worked well and did not have the time yet to give it a try myself. I would really appreciate it.
Sure. I didn't want to engage in self-promotion, but since you asked, here's the website and source code. There is an installer, but it's kind of old. I suggest installing AutoHotkey itself, then download the JKLmouse.ahk and JKLmouse.ico files from GitHub, and put a shortcut to the .ahk in your Startup folder.
One thing to note is that I wrote this to use on my ThinkPads, which have physical mouse buttons. On a laptop where the touchpad itself is the mouse button, it may be difficult to avoid nudging the mouse position when you click.
I've been thinking about adding support for using other keys as "mouse buttons", but haven't done anything about it yet.
Wow, somehow that use of random and slowly ARP proxying as a duct-taped together load balancing mechanism makes this so much cooler.
I'm not sure I quite understand the details, though. I assume there was only one gateway for the segment, so were the spoofed ARP replies unicast instead of broadcast? Otherwise, wouldn't all clients just switch to whatever machine announced their spoof for the gateway IP last?
This was 13 years ago so my memory is fuzzy... if I recall correctly, spoofed ARP replies were unicasted to every possible address on the network. It switched from machine to machine slowly, which is fine because they all served the same content.
There were several subnets at the school, each with its own gateway. I remember having to set up live CDs in several computer labs to cover each of the subnets.
Hypothetically it could happen and even if it isn’t true, I feel it adds something to the conversation. Besides, you cited as many sources as they did.
I think you're underestimating motivated high schoolers.
When I was in high school I was a huge Linux fan and had a side job as a network administrator for small companies in my town. I don't know if I would have gotten the "random ARP load balancing" idea, but overall it seems well within the knowledge admins of the days had about TCP/IP.
When I was between 15 and 17 or so, I wrote small HTTP, DNS servers etc. in C++ for fun (straightforward implementations and not better in any way, so in the end just learning exercises), and I definitely had friends who did similar things.
Not really. Sounds like this was class of '08, and at the time BackTrack would have been readily available and popular enough for a curious highschooler with a bit of computing background to find. As I recall etercap was built in and I wouldn't be at all surprised if there were tutorials for setting up scenarios almost exactly like what is described.
Even the ARP balancing thing is the kind of too-clever-by-a-half solution a naive youngin' would come up with since it would lead all the nodes thinking each other are the gateway and crushing the network with routing loops.
Sounds like you hung out with the wrong kids in high school.
A couple friends and I pulled off some stunts of comparable non-digital complexity. (This was the 80s, schools didn't have networks.) They were more of the logistics and misdirection sort; for instance, having your own version of the printed graduation programs delivered, instead of the boring, official one.
I did some similar shenanigans when in 10th grade, with backtrack 3 and ettercap-ng it was pretty easy. I didn’t do the load balancing, and ended up crashing the network when my laptop couldn’t keep up lol.
I'm less skeptical. OP already mentioned that most things were not encrypted back then, so this was probably still in the days of transparent proxies, so OP could have "just" added one with some ARP spoofing. They were somewhat common in school and office networks, and like regular HTTP proxies (except the transparent ones had the traffic redirected forcefully to them) they essentially consumed HTTP requests and sent new ones out to The Internet. While mostly used for caching and blocking, it seems relatively simple to me that OP could have just replaced e.g. some stylesheets served back to the client.
Three things are remarkable about this, and make it a happy story.
First, that the pranksters were so egregiously responsible in the way they went about it. They avoided disrupting any actual educational activities; it was meant to be harmless fun, not vandalism. No harm came to anything here.
Second, that they documented their findings to the administration as part of the action, including recommendations for improvements.
Third, the administration took this as exactly that: a harmless prank by smart, ethical kids who ALSO did them a favor by pointing out the vulnerabilities. If the admin had a panicked fit about this, they could have made it an ugly situation.
My educational experience was populated far more by "freak out and yell" types than this school district, which was a shame.
The school district itself was relatively chill, however the individual deans freaked out. Because the penetration report was sent to the tech team and not the deans, the deans were intent on finding out exactly who did the hack to find something to report to their bosses (and according to them concern about the grade book system being exposed?? Not sure how you’re supposed to rick roll a grade book but if anyone has an idea i’d love to know). As the earliest poster of footage of this event, I actually got tracked down (despite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever) and interrogated about what I knew of the event by the dean. The penetration report had been sent a while prior to this (which I knew about, as being a sibling of the original blog poster can have many benefits) which made the entire thing so much funnier. I was thankful that masks were a requirement for in person students at the time, as my mouth was literally twitching the entire time during the interrogation.
In our high school they didn't expose the gradebook in that you could get in and change it, but we were able to see everyone else's grades. Teachers would post grades for their class and "obscure" it by posting it with the student ID (you were only supposed to know your own) next to the grade. But when the posted, the entire list was still in alphabetical order so it wasn't hard to figure out everyone's grade and student ID.
And the cherry on top of this was that all the students' passwords were their student ID.
>and according to them concern about the grade book system being exposed??
Junior year in high school, I got suspended for "hacking."
The tl;dr is that I was using a proxy to fetch assignments for class (because the county decided "yeah, this state run Moodle instance is obviously not appropriate for education" and one of my classes used Moodle) and got caught with the proxy configuration screen open. I wish I was joking.
Anyway, when I was sitting in the guidance counselor's office as the teacher was talking up how "dangerous" I was, I noticed a sticky note with a username and password written on it. Turns out it was an admin account for the gradebook, though I think it was just intended for scheduling.
I never did anything bad with those credentials, but that really tanked what little respect I still had for the administrators there.
On a lighter note, when stack exchange & co got blocked the next year, I was good friends with the librarians since I helped out a fair amount fixing up their laptop carts (and doing other things the sysadmins were too busy to take care of), and they were able to get them unblocked. It taught me a lot about office politics: people are willing to return favors, so you should always make those connections.
Yep. It's also a general signal that you'r a good actor willing to do the work. An observer with no interaction can see what you did for the librarians and put in a good word for you somewhere without you ever even knowing.
> espite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever
Assuming you took the video at the top of the article, it was presumably trivial to figure out who was in the class you were in and then rule out everyone who appears on camera as the camera man. Or just ask the teacher...
For contrast, I once got suspended from the school computer labs for two weeks for the heinous crime of... running an unauthorized executable from a flash drive.
It was Rainmeter; I was showing it to a friend. The IT guy even was like "yeah Rainmeter's pretty cool, I read about it in a magazine". But it was auto-detected and school policy, apparently.
Preface this by saying this was a smaller school, and the students had limited access to wifi. For example a teacher would create a set of radius credentials that would only be active for 1 hour. Since data was also expensive that was not an easy work around.
In my grade 11 electronics class, one project we were assigned was to create a digital clock with notifications for one of the teachers. Me and a friend set up a raspberry pi with magic mirror installed on it, and modified some available plugins at the time to allow a google calendar for test dates embedded on the display. The teacher was quite pleased with this, but we convinced him to hard wire it to the network for "stability". In the background we had installed a vpn connection to one of my vps that I used to host my website, and created a new set of sudo enabled credentials naming it magic-mirror or something. The teacher then reviewed the project and changed the normal user credentials etc. Then right before it was installed in the ceiling, we attached a wifi adapter to the pi. A week or so later we remoted in through the tunnel and enabled a wireless hotspot from the pi. This provided us with internet while we were close to the classroom for the next year. People also over time learned that you could extend the range by hot spotting additional jumps using laptops.
Nice! I used to carry around a wireless router in my backpack for the same reason, and made sure to surreptitiously plug it in at the back of every class. Similarly, the school had very restricted WiFi, but no restrictions on the wired network. Fun times.
When I was in High School (early 90's) we got a new computer system that nobody was using yet. I discovered there was an email system of some kind and that every student had an email address that we were not told about. I also discovered Tetris installed in a directory on the server. I was able to play Tetris and I could show other students how to access it, but it was inconvenient to get to.
Therefore I decided I would email Tetris to every student (I emailed the executable, not a link to Tetris), making it easier for everyone to play also. As soon as I did this the entire system got very slow...apparently the server had no quotas or partitioning and the hundreds of copies of Tetris filled up 100% of the hard drive space. It was a disaster. The computer "specialist" had no idea how to fix the system and she was teaching an adult education class that evening that required the system to work. She was furious and wanted me to get suspended. It didn't happen though because I spoke up about the problem right when I knew there was a problem and also some other teachers intervened on my behalf.
The woman who was responsible for the computer system back then is now the superintendent of the school system. I wonder if she remembers me.
I also graduated in the early 90's and my children recently graduated from my alma mater. When I went with them to teacher conferences some of the same teachers were still there. Teachers that I didn't even have classes with remember me.
In like '89 when I was 19 and at university my work-study job was with the IT/ComputingResources department (old names). I worked as a graveyard shift NOC operator swapping tapes and handing out print-jobs, running system tests and stuff like that. We had several 24/7 computer labs full of Sun 3/50(60) workstations and things like that. But there was one lab that was closed from 10-5 overnight and I thought to myself "hey, there's a whole room of workstations not doing anything" so I wrote some scripts rsh/NFS and used that lab one night to run distributed ray-tracing jobs. The next day my account was disabled and I had to go talk to Security. They sorta laughed a bit then went like NO don't do that. I worked for the IT department for the next four years. Then I left for a decade. Then I came back and applied for a job. The interview lasted all of five minutes, I worked for a few months before being forcibly promoted up into the upper circle. My first task was to go around to the dozen others who had root and ask for advice and update the root-speech documentation. I got to Security.... tippity tappity "Oh, hello Mr. zengargoyle, let's see... '89 'misuse of computing resources'." LOL, still had root by the end of the day.
So, this is just to say... that places like education where people may stick around for a long while in the system and such. They probably do remember a bunch of events from even a decade ago. It's the good places that have a sense of humor or appreciation for a worthy harmless infraction. They may even be secretly proud or have some admiration.
Though I do sorta fear that I just happened to hit the tail end of old-school hackery where such things are such things are rewarded. Now get off my lawn.
I feel so dumb when I read kids doing these things. Back in High School all I knew was how I could run arbitrary executable files by renaming them to calc.exe. We also did the classic "take a screenshot of the desktop, set it as the wallpaper, then remove all icons and the start menu" thing.
Another good one on that level was using the Windows keyboard shortcut ctrl-alt-down to rotate the display upside down - totally harmless, but absolutely maddening if you don’t know how to undo it
Even better if you combined it with an upside down screenshot of the desktop. So it looked like only the mouse was upside down and all buttons didn't work.
I think it's a good thing that Ctrl+Alt+Arrow is no longer intercepted by graphics drivers, since IMO shortcuts not containing Win should be handled by apps and not the system.
I told a friend who knew absolutely nothing about computers to go and type format c: on the school only computer and wait for the result. It turned a bit ugly but we're still friend :)
I went to Buffalo Grove High School in this same district and graduated many years ago. At the time no IPTV systems or EPIC bell systems were in place. However, as soon as I walked in my freshman year I noticed the 'teacher' WiFi was only using MAC Address Filtering. One minute scan and a spoof later I was poking around to discover a whole lot was visible from this privileged network. “...From the results, we found various devices exposed on the district network. These included printers, IP phones... and even security cameras without any password authentication!” It was even worse back then. It was all exposed on wide open WiFi!
My senior prank was going to revolve around the printers. We were shocked to discover every printer not just in BG but across the entire district was accessible with no authentication of any kind. We cooked up ideas and were planning to print either porn or I has cheezburger/lolcat memes via telnet (I'm dating myself.)
Ultimately I got into other trouble before we could execute and figured this wasn’t worth not graduating over. I moved on and so happy to see a much better prank on this same network happen so many years later with almost no repercussions. Congratulations and great prank!
In middle school all classrooms had their own printer. They were also shared on the entire school network with no security. We had a lot of fun printing stuff to other classes and never got caught.
I’ve said this a bunch on here so please tell me to stuff it if it’s tiresome, but having been on the far side of a large scale bug bounty i am incredibly impressed with the skills that young folks are developing in infosec. Probably not particularly unique but the industry is still a bit of a combination of tradecraft and academic pursuit and can be confusing for people to find a way in. I think this is why i really appreciate those that just bear down and get after it.
I told my district that I could change my race at-will via a hidden form on the profile page. I changed it to "Purple". Got a call back from some IT guy telling me I accessed their computer without authorization, and that if it happened again, they'd press charges. I asked to be put through to the IT administrator, and he laughed and told me don't worry about it... Sometimes, they can handle it well. Very glad they did for you as well :)
I think the dilenation point comes in with whether they are an IT "person" or a school administrator.
Regularly, I would end up in trouble in my High School for things like bypassing the root account (using ShellShock), or nullifying their executable restrictions (because I needed to run my own executables for a work/study program). If I got caught, the IT admin would sit down and we'd chat about what happened, how they could improve their security and such. An administrator caught on to one of my shenanigans, bypassing the content block because I wanted to read a "hacking" article, and threatened me with suspension. Supposedly, she reported the incident to IT, and IT told her to not bother me anymore.
This is spot on. I Used to work as a sysadmin for a large private school and always enjoyed the red/blue dynamic of tech team vs the smarter students trying to poke through the restrictions of their laptops and network.
It was always disappointing when they took it too far and were directly caught by teachers or administration before I could tell them they were being a bit too blatantly malicious.
That's definitely true, my elementary school principal once got upset at me for unplugging and replugging the ethernet to fix the internet... I'm pretty sure the IT guys would have done the same :P
Reminds me lightly of when I was in high school, email was fairly new -- especially at a school. My friend at a fancy private school had a Linux machine to access, and she really wanted to know what someone else had said about her. I managed to script kiddy my way in leveraging her existing shell login, got root, and read the email. What I didn't realize was that my .history file contained everything I had done. Eventually the sysadmin wrote me an email saying he knew what was going on and wanted to meet up, stating 'he wouldn't cuff me' and that he was 'a chill dude'. I was obviously scared, deleted everything, and tried to pretend nothing ever had happened.
Luckily no one got in trouble (meaning me or my friend). Not so sure this would happen in 2021.
About two years ago, I was in high school and decided to, as a joke, “hack” the computer. By logging in as admn:password. I was incredibly surprised when it actually ended up working as a domain admin account. After checking this, I immediately signed out.
When my CS teacher filed a ticket asking “who has the user account ‘admin’ and why is the password ‘password?’” IT wanted to revoke my network login and probably put me in ISS for a few days. Fortunately, my CS teacher didn’t reveal who I was.
Very glad IT at this person’s school took it in stride, unfortunately this was just the MO of IT in my district.
Many here, I am sure, got in trouble in high school for exposing security issues in school IT. So I imagine we're all very happy to see a sane response from school administration for once!
I went to a small private Christian school back in the late 200X's, and not the type of private school that had gobs of money. For two years, our desktop computers in the computer lab and the English classroom ran Ubuntu Linux (presumably because Windows licenses were >$0). The only students with Linux experience were myself and a friend that I introduced to Linux (who is also now an IT professional).
For a month or two we systematically changed the remote desktop preferences to automatically accept new connections and not to display any messages saying that there is a connection. We tried to never sit at the same computer twice so that we could "adjust" as many computers as possible and to make a secret map of where each computer was by hostname.
If we were in the computer lab and feeling mischievous (always), we'd poll around English classroom hostnames to see if any were in use, or vice versa. We'd "help" people write their papers (very creatively, I might add), speedrun through other students' typing lessons, open a terminal and run "telnet towel.blinkenlights.nl", or whatever else we could come up with.
Well, wouldn't you know it, word gets around this is happening and we naturally get called in to the principal's office (because who else?). While expecting the worst, we were told "we know what you're doing, we don't know how to stop you, but we encourage you to stop and use your technical abilities productively instead" and were let off without punishment. We both came out of it with great respect for the administration because they showed us respect we didn't deserve, and we stopped.
I got in trouble once in high school just for discovering and then using `net send` to send a message to my friend that said "Hi from lab 3".
Computer lab access revoked for 6 weeks. Jokes on them, now I send socket messages to my friend that says "Hi from Chicago" and there's nothing they can do about it.
My friend however keeps begging me to use this thing called 'email' because he claims he doesn't see the socket messages.
Sorry you got access revoked. I accidentally did a net send (via the GUI) to the whole district domain instead of my friend in AP CS that said "Time for break!" right before the snack break.
In my next class, the teacher was talking about "Time for break" virus going around... :/
This was after the district IT wanted to suspend me for setting up a Windows 2000 domain for the yearbook lab, so I kept my mouth shut.
everyone in my school net send bombed everyone all the time. Im not sure how they didn't figure out how to just turn it off.
but i remember you had to do it from a library computer, because it said who it sent it from. so you had to do a little drive by walking net send as you walked out of the library to not get caught
In our case it escalated to scripts with silent, random time delays. Launch it from a floppy, walk away and 87 minutes later everyone is wondering why a notice went out saying that a Toyota Corolla in the parking lot has its lights on.
That was exactly how we used to do it, from where we used to do it, haha. Are you my friend? Rodrigo? How's the weather in Miami? How 'bout those 'Canes?
I don't know. I feel like a lot of the people here celebrate their former exploits as though they weren't committing the computer equivalent of rifling through unlocked desk drawers and graffitiing the walls. They seem so surprised that overworked and underpaid public servants don't appreciate that.
There was an excessively annoying kid in my high school and I learned to send remote commands to any computer in our lab, so I sent a command on loop that continuously opened his disk drive (it would automatically re-open after closing), and if he was particularly annoying I would shut down his computer.
I never once got in trouble for it - the teacher would ask the class, directly looking at me, from time to time to stop it, but I never got in trouble.
I imagine he was just using those announcements to get me to stop from time to time, but knew this kid deserved it so he never did more than that.
Stories of more enlightened school administrators are always welcome.
My story: the "second best high school in the state" had an AT&T 3b2. They wouldn't let me take any classes that used it because they were afraid of what I might do to it (their words). I mean, they weren't actually wrong to worry, but it din't really have anything on it.
It happens at "adult" jobs too. I found a number of webcams in the organization with no password. I flipped the image on one, and sent an email to IT saying, "Hey something's wrong with the web cam - it's upside down. Oh and probably you should put a password on it ;)"
It didn't go over so well. It embarrassed them and lead to some major reprimands for me, almost to the point of losing my job for unauthorized access to systems.
Serious question. What, if any, instruction do kids these days receive regarding what's allowed on computer systems?
I remember in high school poking around a network drive until I found an executable with the name "SEND" in the name. I had a sense that it would send some kind of message somewhere, but I honestly didn't know where or to how many people. I was quite surprised when all the screens in our computer lab froze and, five seconds later, my message appeared on all of them. (I later learned that my message appeared on every desktop screen in the school!)
I'm not sure exactly how they found me out, but I was called into the IT admin's office a couple of days later. She was furious with me. I told her the truth. I didn't know what exactly would happen when I ran that command, but she didn't buy it. Fortunately, nothing ended up happening after that.
I've wondered to this day what exactly they could have done to me if they decided to press whatever legal authority they might have had to its fullest extent. I was never told "don't go to Z:\" or "don't run any program other than those on this list." Even after I was found out, I wasn't ever explicitly told that my actions constituted unauthorized access.
It was a different, perhaps more innocent (or ignorant) time back then. How much have things changed now?
I graduated high school in 2015. I remember similarly poking around a network drive until I found a file in plaintext which contained everyone's student ID and whether or not they had a nut allergy (protected by HIPAA), for the bus system.
I didn't think much of it, but some other students caught wind. Before I knew it, the superintendent threatened to have the police involved and press legal action for "hacking confidential student data."
It's CYA all the way, usually at the expense of the person in the chain least equipped to cover their ass (the student).
Similar story: the dean of my "high school" [1] asked me to create our school website. Another student apparently poked around on a network drive and found an SQL dump of all the students' network username/passwords. I brought this file to the dean, told them it was available on a shared drive (so they could remove it), and asked if they'd like me to use it -- since I already had it -- to enable all the students to log in to the school website with their existing network usernames/passwords. They said that was a great idea and gave me the OK.
A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.
[1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.
> whether or not they had a nut allergy (protected by HIPAA)
Personal pet peeve:
Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.
FERPA could apply, but I don't know much about that.
Nut allergy info that was collected by the school (teacher, admin, nurse, whoever) is part of the student records and would be protected information under FERPA.
Seriously, I found a state website that appeared to be exposing NPI about certain people in an API response. So much NPI nicely formatted in a JSON response. I closed the page and never touched it again. You know the state will declare me a dangerous and sophisticated hacker because I pressed F12 to open the developer tools, that's much easier than admiring they made a mistake.
I can't answer your question, but I strongly suspect the backstory on your furious IT admin went something like this:
* SEND happened
* Minor kerfluffle ensued among various functionaries
* Big Boss worried that something Big was going on
* IT admin was questioned and had no answers
* Simmer for a few days, Big Boss repeating questions and IT admin being flummoxed
* Eventually adequate logs are found and correlated that place you as the likely responsible party
* IT admin is lathered up about a big nothing because Big Boss keeps asking and their competence is in question
* IT admin unleashes the pent up frustration of a few days of stupidity and job security uncertainty on you, and is not satisfied that all this drama was initiated by boredom and not malice
* IT admin reports to Big Boss, who basically brushes it off because they have moved on to other things -- and at the end of the day knows they run an organization filled with kids, some of whom are more curious than others
* Issue disappears
That said, I did know a kid that had charges pressed against him when I was in school so things weren’t necessarily innocent back then either. He was admittedly an idiot and borderline malicious though.
Good old "net send." Out of all the things, that was the one I got chewed out about too.
Wasn't a regular MS user, but we were in a computer training lab at a company for "computer day" field trip. Was bored during instructions, so naturally I logged in, found "net send", and sent a few crank messages to classmates using * as destination. Everyone, including the instructor, got a good laugh.
Approached later in day by corporate IT. Apparently the lab had poor routing rules, no firewalls, and sat on the main Corp network. My messages were received on 25,000 terminals.
Thankfully, they recognized this as (a) harmless, and (b) their own lax failure. No adverse outcome.
This is excellent; reminds me of (very much smaller and far less cleverly executed) grief that I caused the administration at my HS back in the day[0].
There's a few comments about the risks along with a little surprise/at least applause for the administration choosing not to waste the courts/various other parts of the justice system with this prank. I completely agree -- I don't know if I'm terribly surprised they chose that route (whether or not they were truly upset in the first place). I applaud the students for executing this so carefully/well and if my kids pulled something like this off with this level of care -- well, they'd at least be getting a dinner out of their choosing -- probably a trip to a nearby theme park.
I suspect the kids involved were also certain that their approach, attention paid to keep from disrupting class and (thankfully thorough) testing that helped avoid a harmless prank turning into expensive litigation/really pissed off parents. But I'll bet there was a lot of fear around that, anyway! Had something gone awry -- and that's always where the risk is -- I'm guessing the outcome would have been more severe for these kids.
They really played the social engineering/covering their hind-quarters side of this prank very well. A large amount of effort was put toward making sure class was not interrupted[1], things worked and were tested and they provided detailed information to the administration on how to secure their systems -- that last piece allowing them to say "Without our minimally invasive prank and report you'd have never known these issues existed. We're not that special; a more malicious student could have discovered these flaws, opted for a porn broadcast and made it difficult/impossible to find them to punish." They probably understand their own school's administration and took an educated guess as to how they might handle something like that, too. At least for the scope of anything I did, I knew I wouldn't hear from the Vice Principal or Principal -- I'd solved various computer problems for them by then that the worst I'd get would be "that was cool, but please don't do that again."
I didn't get in trouble because the pranks worked similarly -- I tested/avoided disruption (most of the time), did no permanent damage and anything was resolved by a reboot (DOS and no fixed disk) and our harm was necessarily limited since there are only so many computers you can covertly pop a floppy disk in -- there was no network. The biggest factor, though, was that our programming teacher sometimes got involved, himself. He was the head of the math department, not your traditional "computer geek" and I was doing things that he wasn't teaching, so he encouraged it. The guy was amazing (passed away in the mid-00s).
So, kids, if you do try this at home, make sure it all works, provably, very very well and don't do anything that will give them other reasons to throw the book at you. And if your administration has more than the typical "Zero Tolerance[2]" stance on things, it's just a bad idea regardless.
I'm sure there were a few among the ranks that became furious but cooler heads prevailed. The report at the end was a nice touch.
[0] Mostly contained in the computer lab, which was non-networked, but when we discovered the three-letter-acronym TSR (DOS's Terminate and Stay Ready) and realized it was rare that another student would reboot an already booted machine (it took forever counting to the 512KB or so RAM installed). Incredibly, I graduated in the late 90s -- my Senior year, the lab that taught (Turbo, then Borland) Pascal was 15 years behind what most people had at home... these diskless all-in-one bastards wouldn't break.
[1] I'm sure it took the kids a little longer to get to their classes after that all happened -- that's a minor, completely expected, situation here and at least a small reward for the efforts involved.
[2] The school ten miles north of us was in a rural district and had a parking lot full of trucks with hunting rifles attached sitting in the parking lot every day (well after all of the schools installed additional locks and added security theater to make parents feel better post-Columbine)...that wasn't forbidden at least as far back as the early 00s and I wouldn't be surprised if a blind eye is mostly turned, today in some parts of that district.
Up until OP starts working out the frustrations of RTSP it was pretty much a yawner "scan for ports, http to them, see if sumthins there and unguarded". But the perseverance to make a prank work like that with a finicky protocol across a wide variety of different OEM hardware is really exceptional!
Fun story! Such incredible attention to detail and thoughtfulness, all the way up to automatically sending a pen test report to the district's technical supervisors, and sharing a presentation after graduation. This kid was one step ahead all along.
Neat story, and this is clearly harmless. But isn't the most basic, fundamental, number one rule of security/pen testing to try to break into a system (no matter how weak) if and only if you've been given clearance beforehand? Why doesn't that hold here?
The fact that the administration didn't choose to sue them to oblivion is refreshing. I hope we'll see a trend in the future of educator being smart enough to admit that they made a mistake and to encourage the students to develop their talent.
Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."
I find it annoying that people immediately assume incompetence and not inadequate staffing or conflicting priorities. I worked at a school district for a few years and we were woefully understaffed for what we had to cover. In situations like that you do what you have to so teachers can teach, move on to the next emergency, and hope like hell some self-important little shit doesn't burn everything to the ground.
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.
When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.
Seconded, the same advice has also been given to me back in India.
"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.
And you just volunteer to be thrown under the bus as that "hacker."
Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.
It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.
I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.
For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)
While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?
The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.
Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.
He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.
It can get pretty messy. For example, they could wait until they're 21 to try them as an adult, even if it was committed at 17 or younger [0 p. 128]:
> a person who committed the offense before his eighteenth birthday, but is over twenty-one on the date formal charges are filed, may be prosecuted as an adult.... This is true even where the government could have charged the juvenile prior to his twenty-first birthday, but did not.
However, the statute of limitations for CFAA violations is 2 years [1 p. 2] so this might not apply. If somehow they can still go after him at 21, this post could play a part in evidence for performing the hack (I truly hope not).
The newest policy is to charge minors as adults unless there's a compelling and beneficial reason not to. I think that was a DOJ change around 2009. Not sure how many states followed suit. But in general, its increasingly likely that minors are being charged as adults.
I was suspended for a week for creating a network share in my typing class and dividing the work among my friends and we copied and pasted into a single document on the share. This was on Windows NT though so a LONG time ago. It's also I guess "cheating". But they got us on "computer hacking"
Also in my typing class circa 2004 the teacher was about to kick me out because he thought I was on a chat room during his class. I was actually viewing page source on an HTML document
Same thing here. Teacher came into class with his multiple month investigation comparing all students work highlighting common errors. Found three different groups that were sharing work load. In school suspension for all of us, only like three kids left in class for the week.
25 years ago wasn’t any better… I recall several in my circle getting suspended for harmless things. The lesson: don’t explore, don’t be curious, and don’t try to fix anything related to the school and computers. Sigh.
Consent is paramount when doing that type of exploration. Without explicit permission, how would an IT administrator distinguish the difference between a curious student and a malicious attacker?
You're not wrong, but I think it might be helpful to think of this in different terms. Teenagers, with burgeoning agency, are being denied the ability to meaningfully impact their environment yet are bound to it for most of their lives.
I agree with you that explicit permission is important, but it is also something that young people are frequently and explicitly denied. I don't think the solution is condoning that sort of 'extracurricular', but I think we should recognize the problem is probably starting with the adults in the situation.
You would think so, only this is a bit opaque when dealing with a local school and a district bureaucracy with various computer labs, internet and phone systems. As a student, you may think that the right person to ask is the local teacher who has control of the asset. Especially if that teacher has been assigned IT duties.
But to many school administrators consent of teachers is meaningless. Those assets aren't owned by the teachers but by the district, even if they are the apparent authority figures and stewards in the eyes of the students.
People on HN always act like what they were doing was almost noble. You weren't. If you had been picking locks or even rummaging around unlocked desk drawers you'd get the same treatment and deserve it.
Yep. What they did was wrong. And by doing so they threw themselves at the mercy of the entity they hacked. The refreshing part is that the entity did the morally right thing and showed mercy.
except in the case of my home all my doors were unlocked. I would definitely appreciate a paper about how to secure my home, especially if the intruder took great care not to cause any damage or disturbance.
Not to diminish your comment, but a thing I've found late my career is to abandon dogma when it comes to young folks learning. If they can learn with PowerShell, they're a lot better off than a lot of young folks! There is no one-true-way and as soon as you find it, another generation will show up with another-true-way :)
You're glad to see them using the ancient clusterfuck that is Bash, and not a modern relatively sane shell that is indisputably the most seminal shell in the last 30 years?
Nah, i actually used powershell before bash because i did a lot of android hacking stuff before learning to code. I worked with Powershell 3, powershell 4 and powershell 5. Powershell 3 was the most painfull thing to work with. No state accross session, the default were shit so i had to reconfigure more often than not. Slow, painfull, buggy... Around the same ime i learned how to bash pretty well in two days, use rsync, use ssh, use sed and awk... Powershell 3 was shit compared to this.
Then i used powershell4, i guess it was better but honestly i don't think i've used it very much. Powershell5 might be better than bash for 90% of the dev population though.
Credit where credit is due, we all WISH *nix had something like PowerShell. Passing strings from program to program is a pain, passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.
PowerShell has been available on Linux via .NET Core since 2016 and version 6.0. Even my Windows box with PowerShell 5.1 likes to remind me of this fact every time I start it:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
There have been REPLs like PowerShell for ages, it's nothing really new. The only nuance in this is that it is new in the Windows ecosystem to have something like that supported by Microsoft. Ironically, it hasn't managed to displace the command prompt or batch files, so instead of having to deal with one thing, you now have to deal with two things.
As for the passing of strings: it might seem like a pain, but as soon as you start working with non-program I/O it's not like you'll have much of a choice. Keep in mind that it is the lowest form of communication and you can build on top of that. Same with I/O in general: nothing prevents you from using shared memory or a device instead.
> Ironically, it hasn't managed to displace the command prompt or batch files
It don't think they expect that people would rewrite their old scripts. That is actually silly to consider. Even with console vs terminal, they are concerned of backward compatibility and leaving it as is:
> Windows Console will continue to ship within Windows for decades to come in order to ensure backward compatibility with the many millions of existing/legacy command-line scripts, apps, and tools
They could just have an alternative interpreter mode to support batch files, or even have a cmdlet that does just that. If people like to point and click, associate that with a cmdlet (they can do that, right?) and there you go.
And behind the scenes of internet-based services there's a whole ecosystem of "how can we do shit more robustly than just passing strings around" (or even for "better than XML or JSON").
> Credit where credit is due, we all WISH nix had something like PowerShell.
Who is "we". I've worked exclusively on a windows stack so used powershell on the job. But at home, I use bash. I don't want something like powershell in nix and don't use powershell on nix even though it's been available on nix for many years now.
> Passing strings from program to program is a pain
You can argue it's the basis of computer science and also pretty efficient.
> passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.
Passing around objects can be slow, inefficient, wasteful, etc though it can be convenient.
If you are on a windows stack then go with powershell. If not, then go with bash. Nobody should be on a windows stack but sadly, much of the business world has been captured by microsoft.
>The school would not have any say about whether or not this happens.
Schools are members of the local government "club". Prosecutors don't generally burn political capital giving the bird to other members of the club like that without a good reason.
Fellow high school students just loved me when, after giving up on ophcrack, I found out that on Windows XP, a limited account could simply escalate privileges by scheduling a command.
First installed some open source FPS on all computers. They got found and removed, and we all got moved to guest accounts.
I then found something called DreampackPL. Just pop in the CD, boot on it, replace the pinball game with their executable, reboot. And voilà, access to everything. Just remember to put the pinball back afterwards.
That’s when the BIOS got password protected.
My next step? Opening the machines up to move a jumper. Do everything all over again, but this time on a hidden windows account.
The IT admin was a student’s parent. Just spent years making the poor guy run in circles before the school administration finally gave up.
In case anyone else is wondering how the heck the kid got access to the district's network, the key sentence is hidden in the middle of the post:
Since freshman year, I had complete access to the IPTV system. I only messed around with it a few times and had plans for a senior prank, but it moved to the back of my mind and eventually went forgotten.
Not sure why they don't go into more detail about how exactly "complete access" was obtained, since that is obviously the hardest part of hacking any system. Not trying to downplay the achievement here, just think that this would have deserved a bit more detail.
He explains it quite clearly that him and his friends were port scanning the schools network for funsies.
"From the results, we found various devices exposed on the district network. These included printers, IP phones... and even security cameras without any password authentication!"
We figured out that our computer class had a few computers infected by the Ambulance virus[0]. So of course we intentionally infected all the computers with it =)
On the other hand me and a few of my friends were the only computer literate people in the school and were tasked with removing it in the end.
But still, it was fun seeing a whole class of computers have an ambulance run at the bottom of the screen with the poor beeper emulating the siren.
Earlier versions of Intel Management Engine used ARC core. It is somewhat funny to see Intel licensing third-party CPU IP core to use in their CPUs of all the things…
I got in trouble and subsequently suspended from school back in the ‘90s for causing BSOD’s on classmates computers using WinNuke [0]. They classed it as vandalism even though the payload causes no permanent damage (apart from losing unsaved work).
I found more severe vulnerabilities including being able to lift home addresses of students by querying an unprotected endpoint. Didn’t get in trouble for this one, and reported it promptly to the IT administrator.
My first thought when I read the headline was "another kid with a felony following them around for a prank that didn't harm anyone". Nice to see they weren't prosecuted.
Given the amount of press this is receiving and the fact that the message the administration sent to them seemed a bit suspect, I wouldn't be surprised if the kids did end up catching several charges.
I'm impressed with how much foresight this high schooler had in preparing for the prank. My impression is that most high school age kids would out themselves within the first few weeks of planning due to wanting to boast, here they instead took to testing covertly, overnight.
Someone I know did something similar, was arrested in their college dorm, and at the sentencing hearing in federal court was fined and sentenced to 5 years probation, and now has a criminal record.
This kid is very very lucky. Obviously they violated the CFAA which carries severe criminal penalties. They engaged in actual hacking without any permission or defined scope. And they exploited the system without any responsible disclosure process.
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.
Absolutely do not access systems you are not allowed to. If you do want to do penetration testing, you need permission from the systems owner and a clearly defined scope. And when you do find issues, you don't exploit them, you responsibly disclose them within a clearly defined framework.
If you want to end up with a criminal record that will profoundly effect the rest of your life, including your career prospects and ability to travel internationally, then by all means, do what this guy did.
I wish it wasn't so. It never used to be. But this is how it is now. Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board or management team to trigger a disastrous outcome in stories like this.
Posts like yours validate the insane over criminalization of what essentially amounts to a prank. I had literally the exact same experience in high school. Got expelled and had to get a GED. They could have easily pressed charges.
Part of the issue is people like you who advocate for respecting "the system" and essentially scaring kids into not doing anything. Except that simply re-enforces the draconian laws that are currently in place. If more kids rebelled and this was a regular occurrence it would help to desensitize society to digital pranks instead of always treating these kids like terrorists.
GP isn't validating over criminalization. GP is trying to steer people clear of catching charges. The end results for both is, "Don't hack your school district for a prank," but the context of the two are very different. Students' minds are still developing. You can tell them not to respect Draconian laws surrounding hacking, but do the students understand what's at stake?
Yes, students get in trouble all the time, but most of the consequences for their stupidity are slaps on the hand. Lunch in a classroom, a parent-teacher conference, after school detention, in-school suspension, getting grounded - none of these things carry civil or criminal charges that are a matter of record. What should be a harmless prank can turn into a life altering civil and criminal charges. With high school kids, things quickly go from, "I hacked the school network to do a Rick Roll; they laughed and sent me on my way," all the way to, "I gave my friend the exploit to do something similar; I didn't know he was going to change everyone's grades to 69%."
Further, I would not want to teach in a district where students doing digital pranks is the norm. I volunteer at a high school. Unchecked digital pranks would quickly turn into a constant stream of disruptions. Everyone would think that their prank is better than the last.
Unfortunately, "desensitizing" people to existing law by illegal rebellions is a Pyrrhic victory at best when the consequences are so impactful to the individuals that martyr for The Cause.
There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking. If the laws feel draconian, perhaps following those processes might be a better approach to change the system without as many sacrifices.
>There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking.
And none of them work, or will ever work in this oligarchy. The rich own the congress, and the senate, and they benefit greatly from these things. America hasn't been a functioning republic in at least 50 years.
I don't understand this response. Having been on the wrong end of it you should be advocating harder than anyone to teach kids the complexities of cybersecurity law and ensure they can make the right decisions rather than throw away their future over a stupid prank. There is no "validation" happening here, the OP is just stating reality. Random high schoolers' rebellions aren't going to result in Congress overturning the Computer Fraud and Abuse Act and a hundred related laws.
Unless you kill someone I generally don’t believe in life long criminal records. They only serve to drive people into further criminality.
I imagine for a robbery you could get 5 years in prison, 5 years with it on your record and then automatically get it expunged.
Back to the topic at hand , what if the IT hack stopped people from getting paid on time. How many suffered emotional distress ? Evictions can literally cause suicide.
Maybe someone can’t afford medication, skip it and have a stroke.
The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.
People want simple easy solutions. Things are much more complicated. If you release a dozen felons 5 years early and 2 go on to commit horrific crimes it’s easy to ignore the good the other 10 did
I dunno. Assault that permanently injures someone, rape, kidnapping, and trafficking are lifelong scarring for the victims. I may not rank computer hacking or selling drugs as deserving of a permanent record, but there are lots of other violent crimes short of homicide that do.
> The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.
Welcome to the War On Redemption. Primary participants are the harmful people who create these systems and the people who remain silent while countless lives are ruined for no good result.
I don't think it's the record's duty to keep you from being employed. That's the employer's decision.
Even if I agree that it's a dumb practice, you're proposing a world where employers are free to refuse your hire if you (eg.) were fired from a job 26 years ago, but not because you were convicted of a crime.
I don't think telling kids not to narc on themselves "validates the insane over-criminalization". I think telling legislators or parents would, though.
The comment didn't say "respect the system", it said to deal in the realpolitik and don't try to effect legislative change by ruining your life as a high school student.
Why do we tolerate pranks? You shouldn't be able to interfere with someone else and say 'just a prank bro'. Leave other people's things alone. Don't create work for other people. Don't bother people just trying to do their jobs. Don't impose your sense of humour on others. These all seem like basics to me?
If you think someone's funny? Great. Just don't bother other people with it. Do it with your own stuff, not other people's.
Pranks can be an outlet for creativity and learning that might not otherwise happen.
The post concludes with:
> This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me. That's all and thanks for reading!
I'm certain this kid learned so much working through the execution of this prank, and without being criminalized by the district, he's better off for it. Likewise, the IT department is better off with a more secure system, and staff and students experienced shared moments of unexpected joy.
Call me naive, but I'd say this kid made his small slice of the world a bit better, if only for a fleeting moment.
> Pranks can be an outlet for creativity and learning that might not otherwise happen.
Great.
But do it with your own things then. Don't bother anyone else or touch anyone else's things.
And no worker should ever have to do any work (such as reset a computer system) because of your prank. Workers have enough work to do and enough hassles in their lives.
> But do it with your own things then. Don't bother anyone else or touch anyone else's things.
You're really oversimplifying here. Something tells me this highschooler doesn't personally own the breadth of commercial equipment that he hacked for this prank.
> And no worker should ever have to do any work (such as reset a computer system) because of your prank. Workers have enough work to do and enough hassles in their lives.
> Something tells me this highschooler doesn't personally own the breadth of commercial equipment that he hacked for this prank.
So they shouldn't have done it.
> Okay, let's all be worker robots :)
It's not about what you want to do. It's about what some low-paid worker who has to clean up after you thinks. Or some other student inconvenienced by your prank thinks.
If you're impacting on someone else's life then you're in the wrong!
Who had to clean up here? Author cleaned up their own problem and literally delivered a detailed security report on how to fix the issue (not the damage done by the prank, which was zero).
Seems like it disrupts a class to me? What about the students who don't want to have their class disrupted? What about the teacher who has to catch up later?
What if these people don't want your sense of humour imposed on them?
>One of our top priorities was to avoid disrupting classes, meaning we could only pull off the prank before school started, during passing periods, or after school.
As the author points out early on in this article, most school districts would not have tolerated a prank like this. In fact this is the only example I know about a prank this big that got the response of toleration the author documented in the article.
> You shouldn't be able to interfere with someone else and say 'just a prank bro'.
The students made a report of what they did and presented it to the administration.
I guess to be generous I could reinterpret your concern to be, "Do students in every school district in the U.S. get to avoid criminal prosecution under the draconian CFAA by constructing a complex hack tailored to avoid interrupting regular school business, then writing up a report and giving a powerpoint presentation to an apparently enlightened and tech-savvy administration to help them strengthen their network defenses?" In that case, point taken.
Of course that's not okay. But if you're wearing a device marketed to you as a 'force field' because you're afraid of being pushed down the street and someone demonstrates that your force field isn't working by dancing really close to you, that's probably okay.
By saying that you're imposing your sense of humor on others too (as in, the prankster's sense of humor is "pranks are funny"; your sense of humor is "pranks are not funny"; according to your comment your stance is that pranks shouldn't be tolerated). You don't have to laugh, and you're free to say you don't like pranks. But tolerating other people's opinions/sense of humor/whathaveyou seems like basics to me.
(Maybe we just have different experiences and thus different definitions of the word.)
It’s like smoking. I should tolerate someone smoking in their own home. Should I have to tolerate someone smoking on public transport next to me? Absolutely not. Even if it’s their opinion that smoke is nice.
When people say "establishing intent" in terms of criminal cases, this is usually a shorthand for something more specifically defined in the law, like "intent to do harm" or something.
To use the murder example again: many people who commit manslaughter have all kinds of various intentions. The one murder is concerned with is whether or not they specifically had the intent to kill the person. "Establishing intent" in this scenario is specifically regarding that one intent. Not any intent.
I think you misread the GP. He's not defending the system, just describing it, and how the OP was lucky that the people in charge were unusual and open-minded. He's warning others that the risk/reward implied by the OP's experience is misleading.
I suspect that most commenters on this site applaud the kids adventurousness and style. A great hack! But we are uniquely aware of how rare it is that anyone with authority, school administrators or law enforcement, would show any leniency or self-restraint in these cases. On balance, the instinct seems to go for the jugular, dehumanize the kid as a criminal hacker, and ruin his life. No-one is saying that's good, or reasonable. It's just how it is.
We need to have harsh penalties for this. People who don't understand the complex systems they were able to access, might introduce vulnerabilities that more malicious entities can exploit. An example of this would be a student at a university accessing internal network from a physical terminal in a building, (intranet), and accidentally disabling a firewall, (say to play a video from a remote location). In doing so, its no longer just a prank as they may have exposed the entire internal network to outside internet.
This is a super basic example, but it serves to illustrate my point. It's not just a prank bro, even when it is.
Ah, 2021, such sad times, where we squash our creativities in fear of the police, where you'd think twice before doing something like one of the MIT hacks http://hacks.mit.edu ...
I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.
I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...
> I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.
If you read TFA, that is effectively what happened. Even with the guarantee, only one of them revealed themselves.
> I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...
Criminal charges are generally filed by the prosecutor. They'll generally follow the wishes of the victim, but are not required to (think, e.g., domestic violence cases). There is absolutely zero the school can do to guarantee that you won't be charged if the prosecutor does catch wind of the incident and decides to make an example of you.
This is generally true, but the CFAA is obviously not violated by access which is authorised. In this case, you could simply draw up a pentest agreement and get them to say any such activity would be authorised.
My understanding is that in America, prosecutors are often political appointees without much institutional oversight, as compared to being a reasonably dull civil service department who have to justify prosecutions as being in the public interest
I remember back in high school we had this computer lab that was all locked down. Didn't allow opening the CD-ROM drives, only allowed certain educational websites, etc. I put a little remote access app on my share drive as a way to open my own CD drive, mostly just to see if I could do it. The school's computer guy came and found me and was like "hey, a file pinged as malware, what's up with that" and we had a fun discussion about it and I deleted it and we moved on with our lives. I didn't think about it again. Years later, I looked back with horror at how badly that could have gone for me.
Ah, you young whippersnappers with your labs and networks and CDs... my high school just got one Commodore PET, that was "the school computer" in my day.
Fortunately, I got on well with the math teacher who had charge of it, and he'd let me take it home over the weekends. Those were the days...
The CFAA exists to make sure that nobody can use computers and the internet to have any power over even tyrannical authorities.
CFAA and the DMCA are some of the worst, most authoritarian laws ever created, and they exist to do nothing other ensure a system where being rich enough to afford lawyers means you don't have to do anything else.
Use default passwords like an idiot and someone uses their autofill? They're the criminal, not you.
Let people just change the account number in the address bar and switch accounts with zero authorization or authentication? They're the criminal, not you. (Bank of America literally did this.)
Have open access for students to download papers and one of them uses it to download all of them? They're the criminal, not you. (RIP Aaron Swartz)
I support jury nullification for the CFAA and DMCA and so should everyone reading this.
I know somebody - I think they post here, hi! - who ended up in "weekend jail" with a conviction for sharing a school's WiFi password without permission. I also once got reprimanded for writing a blog post not too dissimilar to this one at a less sympathetic school. I also remember the joy of hiding a server in the ceiling of our school so we could play UT2K3 on the library computers before that exploded similarly. Adults are so boring.
Every district is different, heck -- every school within a district can be different in extreme discipline like this. Frankly, the size of his district represented a lot of risk; those often have the policies with the least wiggle-room -- like "Weekend Jail for Sharing a WiFi password" (insane).
At the school my child attends, I am confident he would have ended up with a pat on the back if the circumstances were similar. I can't speak for the district -- I'd be willing to bet that'd be very risky. At the school I had once attended, I'd expect the entire district would behave similarly. I'm sure there were people within the district administration that wanted to throw the book at the kids involved.
Here's the thing for those people: the last thing a school district wants is to become national news for punishing a bunch of kids who the evening news can make out to look like "Geniuses". Since nothing failed in their plan -- that's crazy important -- there would be very few ways to frame the story that makes the administration look like anything but bullies, and many will frame them as "petty bullies". I have a friend I went to High School with who is now a High School principal. He's still "that guy I went to High School with." I have no doubt he would have given the kids an award privately, if not publicly.
It's sad that some public school districts are using discipline approaches you'd expect to see in prisons, rather than a school, and I'm sure in certain places in the country, that might be a necessity. Context matters, too -- were these kids who were constantly pulling pranks like this, had been talked to in the past/impacted things in the past, etc, I'd expect a harsh response: "Yes, we get it, you're smart, stop breaking things already, read the horrors of the 1986 CFAA because that's coming if it happens again." I'm guessing these were otherwise good students.
When I was younger (~15) I also did some "fun" (aka stupid) stuff with the school computer network and in the end they got me and I received a "formal warning" (it was in France).
In the end I'm glad for it because that scared me off and I never tried again on stuff that I don't own.
But putting a kid in jail/having a criminal record seems way to excessive to me. Kids are dumb. And by punishing them that hard they won't become a better person. hell, they won't be able to have a job !
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.
Or maybe it will shame other IT departments into not having a stick up their butt. Especially if there is already a culture of overlooking minor criminal activity in the name of harmless pranks.
There is something obscenely totalitarian about this whole mindset. You're making a very pragmatic point, but take a step back and look at the whole thing.
You're warning a teenager against making a brilliant, harmless, funny and responsible prank so that they won't get their whole life fucked up forever. Think a little about what kind of political system necessitates that kind of ridiculous warning. What sort of nation does this kind of thing to its kids? If we strike the United States from the list, what sort of countries are left?
You guys really need to get your so-called justice system sorted out. Sorry to make such a blunt point, but this is depressing as hell.
When I was in High School in 2003 I discovered you could pretty easily get around the tool that blocked running installers by launching them by entering the full path to the installer in the address bar of Internet Explorer. This was before Windows and IE were decoupled. I installed VNC server on a couple friends computers and used it for some light hearted pranks, but didn't do anything else with it.
One of my friends who I did this to went crazy with it and used it to mess with his teachers computers. Ended up in huge trouble, cops knocking on his door, and I believe probation. This was the year after I graduated.
On the one hand, I kind of feel responsible for showing him, on the other hand, it's his fault he had to go off and be an idiot with something I just thought was fun.
This post is 100% spot on. While the local school district may treat it as a prank, in the U.S. the federal authorities may not. To see how seriously the government takes this act, look at the penalties section of the relevant U.S. code.
And yet, there is overwhelming demand for what the government calls "cyber security". As a developer it is easy to get good at your craft by practicing and learning, how in the world is a security specialist able to practice without asking for permission or already having a job? A home lab setup? A college degree and formal education? I'm curious how people actually evaluate this career choice.
In my personal experience with working in government related cyber security, the positions are for dudes that type bash commands to run tools that are all developed by 3p companies, which end up hiring people regardless of criminal history.
Yeah, go to them about ransomware gangs or nation state actors and you basically get told "lol we cant do shit". Complain about a kid prank and theyll go apeshit and make a, uhh, federal case of it to make themselves feel needed.
Gross but true. The administration has every incentive and opportunity to spin this into a self-serving story about taking down evil sinister hackers -- and maybe scapegoat a few unrelated problems while they are at it.
I am delighted that these admins had the character to resist the perverse incentives of the system.
> Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK
Maybe a bit overzealous with the reaction here. OK, sure, the OP could have been even more serious about this but literally the first labeled section is "DISCLAIMER" and says:
> With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.
Id actually wonder if criminal history matters when you have skills like this that are very much in demand.
If this went to court, the charges of malicious intent would likely not stick, so jailtime could likely be avoided in leu of fine/community service.
Competent tech companies will not give a shit about criminal record of this nature.
Expulsion from school is pretty much irrelevant, especially for CS careers. You can get a GED, find any college with CS program that will take your money, spend a year having fun, apply for an internship at a tech company, do a good job to be offered a return, talk to HR to go directly into entry level role, and you are set (have personally seen 2 cases of this happening with an intern).
The most functionally harmful thing would be monetary cost, which is still inconsequential considering the salary this guy would make.
It depends on how regulated the particular industry is. If you're building consumer web apps at a startup, it probably won't matter. If you want to be a government contractor, it's probably a nonstarter.
Most of the industry where the guy will be paid appropriately is going to be private. Cyber security specialists for things like AWS get paid much more than any government contractor.
For anyone who like to hack legally and ethically, check out https://www.hackerone.com/. If you're very good at hacking devices, software, networks, etc, companies will pay bounties for the vulnerabilities you find thru HackerOne.
Looks like they paid out millions in bounty in 2020:
Worth a try, but I didn't have a good experience with it.
Companies can mark items as duplicates without fixing the underlying bug for an indefinite period of time. So the 3 vulnerabilities I found all got marked as duplicates without any compensation or even acknowledgement of my time writing up the issues. Felt like a complete waste of time.
If you're great, you can probably find novel stuff better than I was able to, but if you're that great you likely already have plenty of employment opportunities.
Malicious hackers could have shown something unspeakably vile on all those screens. If this kid reduced the likelihood of that... he's a hero. Alas, I totally hear you.
yeah, it's pretty messed up that there's such extremely heavy penalties for merely playing a youtube video on a few screens whereas looting and stealing go completely unpunished. what kind of message is that sending to our youth?
Glad to see a cooperative and supportive academic administration, and I'm sure the thoroughness and planning that the team demonstrated made it easier on the administration.
The sheer amount of testing and verifying no major impact to academic testing took place probably helped, and cleaning up after themselves and documenting their finding and reporting it to IT was a cherry on the top.
I like that the administration even requested that the team brief the district IT on the "attack".
Much less exciting, but when I was in high school I discovered an unsecured messaging service that could be accessed via a Web interface. This included the ability to send messages to any user logged in to any machine. And also the ability to broadcast messages to all machines in the school. I was never bold enough to test this feature but word got around after I showed a few friends and eventually someone decided to broadcast a rather crude message about our principal. One thing this student didn't realize is that all messages are logged and the sender was easily found and disciplined.
It could have been a lot of fun if schools in the early 2000s were as well-connected as they seem to be now. We were still working with overhead projectors at the time.
Cool, I guess, but "scary" and as always a bit obnoxious to read about for me.
Anyway, it was fun to learn about the "obscure ARC architecture" used by the IoT devices in question. Unpacked to "Argonaut RISC Core", that made me curious enough to look it up since I hadn't heard of it. And sure enough, it was related to Argonaut as in "the UK game developers founded by Jez San" [1]. That's a really interesting development! :)
When I was in school we were trying to improve the IT, but as we "knew too much" and prefered Linux over Netware we weren't trusted. Also everything was run by the teachers, we didn't help either.
Each summer they "improved" security and in less then a week we again had all of the important passwords. Even the one of the top sysadmin - which really was the one he told some students when he was trunk (everyone thought he was joking).
We didn't prank, but instead installed Duke Nukem on the Netware login drive or enabled internet access when the teachers weren't around or didn't want to give us access.
In middle school I used Javascript to change Google's button text from "I'm feeling lucky!" to "Andrew is the best!" (javascript:getElementById('').text='blah')
I showed some other students who were so freaked out that I had "hacked Google" that I got the attention of the librarian, who promptly banned me from the library computers for the rest of the year, even after I refreshed the page to show them it wasn't "real". Oof.
Haha when I was searching for printers across the district network the librarian was looking at my screen. She called me out across the room asking why I was looking at printers at a different school. Oof.
I wrote an infinite loop in postscript and sent it to all the printers. This was when postscript printers cost a fortune so there were not many of them. Fun days were those.
Do prosecutors need consent from victims to file charges in cases like this?
Also if you're going to commit a crime and brag about it, don't say "hey well they would point the finger at me anyway and I'm not going to name my partners." You've just told them there are coconspirators, and you don't have a right not to incriminate others.
They don't legally need it, but such cases are pretty much dead in court without the victim's cooperation so the prosecution will almost always drop it.
In 2001, in 7th grade at the beginning of my web dev "career", so to speak, I made a website that looked exactly like our school district's "snow day" school closure and delay page -- and I allowed anyone to edit the message. I told a few kids about this -- it was a pinnacle of my PHP prowess back then.
Got called into an office -- a gifted program administration, not the regular school office. I think one of the teachers there caught wind of my cool little trick, and asked me to take it down right then and there. I was terrified, as I wasn't really someone to get into any sort of trouble. I was able to take it down through their machine's windows explorer's FTP access.
Now I realize that this teacher probably saved me from a lot of trouble. I wish these sort of stories were the norm -- where educators welcome the natural curiosity instead of throwing the law at kids who dare to think outside the box.
Reminds me of when I attended my districts technical career center for 2 years. We had ~3 hours of various IT learning every morning with kids from high schools all over the county before we all went back to our normal schools.
We'd of course run out of stuff to do and start messing around with our newly honed skills. Learning about net send wasn't too bad, we just sent dumb messages to each other. But learning vbscript combined with net send... you could DoS the other machines with a for loop.
One morning I was playing around with the net send script, but accidentally plugged into the schoolwide LAN instead of our local network... every computer in the building got locked down with some idiotic message my 17 year old brain had come up with. IT took a educated guess and came down to our class and I fessed up, thankfully they let me off with a stern talking to and promises to never do it again.
I was at my own community college 2 years ago, and they had those Smart TVs showing news and weather everywhere, as well as custom images uploaded by the clubs on campus.
It was supposed to be that a club could log into them, make, and submit a graphic to display on the TVs, but the school would have to review them before they would be displayed.
However, I would later find out, a software update had messed up the roles system and so that club username/password which was in a public document actually had the ability to post things immediately on the TVs, without review. I found this out when I made a Math Club poster, hit the button, and it was immediately live without a check.
I just reported it and it was fixed the next day. My instructor said that could have been really really bad considering some more unscrupulous college kids who would have (not naming names) probably gotten a kick out of throwing pr0n on them...
I wonder how they managed to achieve perfect synchronization across the whole district, or even between IPTV players in one school. Sure, maybe that ability is built into the IPTV system, but I wonder how it's done. Did the players all sync their clocks from a central server, pre-buffer the stream, then start playing when the local clock hit a certain time?
> With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.
Note well that the victim of a crime does not get any say in whether or not a prosecutor prosecutes a crime. "Pressing charges" is a myth.
The probability of a prosecutor filing charges decreases significantly if the victim does not want a case to go forward, and even more if they actively do not want to cooperate with the court case.
I remember being in elementary school and avoiding the net nanny by viewing one of the network drives that students (somehow) had access to but weren't told about. Eventually, someone in my class poked around enough to find BESS.exe and deleted it and we had unfiltered internet for a day.
my old school used this old as hell system using two solaris servers that we would connect to via thin clients. i got root creds to everything in our school district and on my very last day at that school i decided i'd do everyone a favour and at least update the system from firefox 3 to firefox 12. well, shortly after installing the package everyones clients stopped responding and that's the day i learned about dependencies. everyone kind of knew it had to be me that screwed everything, but nobody said anything and they were grateful to have gotten rid of that horrible old system.
Unfortunately they decided to replace it with windows now, but my little brother is doing a great job keeping the people managing that new system on their toes ;)
when I was in high school, we had been battling on the pdp11 (running rsts), and when they finally upgraded to vax/vms they just gave up and gave us a small vax system to ourselves to battle on. it was much less disruptive than the hijinks we had previously been up to.
of course, this was in the days when pad-pad was a thing out in the real world, so false logins on vt100/vt220 terminals was all too easy to fake.
I am still thankful that they decided to set that up (we even had physical machine access) - such a better solution than just letting us go wild on the local network.
I once wrote a script that would pluck the entire student’s computer and rat them out hard in case they tried to exploit some vulnerability. Alas, no one got owned, at least not until I graduated.
Hopefully everyone here has seen the movie Hackers, where a similar, but slightly more destructive prank involving the school's sprinkler system took place.
Hey, thanks for the reply. Appreciate the writeup too, it was a fun read. Hope you don't mind but I have a few more questions.
How were you able to get Chrome RDP access setup without admin privileges? I assume this is automatically blocked via group policy.
Now that you have Chrome RDP setup, how were you able to access these machines from outside the network from home?
"since I could come in-person with my team for security competitions" I'm really intrigued now. What were these security competitions about and were they part of a class you were in?
Ugh. I worked school IT in the past. You're not as smart as you think you are. These vulnerabilities are typically known but there's not enough time, money, or the devices themselves can't really be locked down or hacker proofed anymore than they already.
IF you do something like this at least consider that someone else is going to be cleaning your mess up.
School kids are the worst users you can ask for. Unlike a normal business where they'd be punished or removed for something like this the kids will deliberately try to destroy the school network.
Maybe, maybe not. The author has graduated from High School, meaning they're about to enter college or the workforce. I wouldn't be surprised to see this level of detail from someone at that level academically. Delighted, yes. Would I expect if from everyone? Hell no.
But surprised that a tech-enthusiast and eager learner might have put this much thought into this prank and it's potential consequences, not so much.
Teenagers/young adults tend to have different stressors and other things to occupy their time than the average adult in the workforce, meaning the author likely gave this prank a fair amount of their free time, and that dedication showed through in the amount of planning done.
Additionally it's likely, given they mentioned once or twice in the article they planned on posting a blog about the prank, that they might be hoping to use this on their resume or as a talking point in their career. If they're hoping to go into security or comp sci, this would be a decent feather in their cap and the amount of time spent is easily justified.
These devices were unsecured for a reason: there wasn't money to hire competent people who would make all services secure.
Finding a vulnerability in the grade tracking system is much different than in IPTV: the first can have real-life implications, the latter only gives the attacker bragging rights. Only students would benefit from hacking IPTV (for funsies), but patching it requires funds nonetheless, and then further effort from staff when the default user/pass doesn't work. And then we complain about the hidden costs of low-trust societies.
If the guy had written to the admins about it, they probably would've replied "yeah we know about it, please don't do it".
"But I want to because I can and you're too lazy and incompetent to fix it."
"Okay then here's 50 bucks, please fix it for us, we don't have time for this nonsense."
"F off", and then proceeds to rick roll because that can get him to HN front page.
1. First day on the job, email to boss: "Hey, the computer lab at Springfield High has a ton of known security flaws that are begging to be exploited."
2. Reply, 1 week later: "Sorry, we don't have any money for that. Just keep everything up-and-running."
3. 3 weeks later the computer lab at Springfield High got "hacked". All the computers displayed a popup window that said, "Miss Krabappel is a dyke!" (sorry for the offensive language)
4. Next day, email from boss: "The computer lab at Springfield High was hacked! Figure out how to fix this and make sure it doesn't happen again!"
5. A few days later Miss Krabappel filed to sue the school district. The local newspaper picked up the story.
6. Email from boss, in full panic mode: "I need you to figure out who hacked the computer lab at Springfield High so we can report him to the police!"
7. A week later an independent consulting firm was brought in to help identify the person behind the "hack". I heard they were paid $50K and found nothing. However, the kid got ratted out when he told all his friends. (It wasn't Bart Simpson! ;) )
8. Several weeks later: meeting to discuss working with a consulting firm that's gonna fix all the security issues because the current staff (me and my team) lacks the skills.
9. About 6 months later, I quit.