Hacker News new | past | comments | ask | show | jobs | submit login

Three things are remarkable about this, and make it a happy story.

First, that the pranksters were so egregiously responsible in the way they went about it. They avoided disrupting any actual educational activities; it was meant to be harmless fun, not vandalism. No harm came to anything here.

Second, that they documented their findings to the administration as part of the action, including recommendations for improvements.

Third, the administration took this as exactly that: a harmless prank by smart, ethical kids who ALSO did them a favor by pointing out the vulnerabilities. If the admin had a panicked fit about this, they could have made it an ugly situation.

My educational experience was populated far more by "freak out and yell" types than this school district, which was a shame.




The school district itself was relatively chill, however the individual deans freaked out. Because the penetration report was sent to the tech team and not the deans, the deans were intent on finding out exactly who did the hack to find something to report to their bosses (and according to them concern about the grade book system being exposed?? Not sure how you’re supposed to rick roll a grade book but if anyone has an idea i’d love to know). As the earliest poster of footage of this event, I actually got tracked down (despite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever) and interrogated about what I knew of the event by the dean. The penetration report had been sent a while prior to this (which I knew about, as being a sibling of the original blog poster can have many benefits) which made the entire thing so much funnier. I was thankful that masks were a requirement for in person students at the time, as my mouth was literally twitching the entire time during the interrogation.


> grade book system being exposed

In our high school they didn't expose the gradebook in that you could get in and change it, but we were able to see everyone else's grades. Teachers would post grades for their class and "obscure" it by posting it with the student ID (you were only supposed to know your own) next to the grade. But when the posted, the entire list was still in alphabetical order so it wasn't hard to figure out everyone's grade and student ID.

And the cherry on top of this was that all the students' passwords were their student ID.


>and according to them concern about the grade book system being exposed??

Junior year in high school, I got suspended for "hacking."

The tl;dr is that I was using a proxy to fetch assignments for class (because the county decided "yeah, this state run Moodle instance is obviously not appropriate for education" and one of my classes used Moodle) and got caught with the proxy configuration screen open. I wish I was joking.

Anyway, when I was sitting in the guidance counselor's office as the teacher was talking up how "dangerous" I was, I noticed a sticky note with a username and password written on it. Turns out it was an admin account for the gradebook, though I think it was just intended for scheduling.

I never did anything bad with those credentials, but that really tanked what little respect I still had for the administrators there.

On a lighter note, when stack exchange & co got blocked the next year, I was good friends with the librarians since I helped out a fair amount fixing up their laptop carts (and doing other things the sysadmins were too busy to take care of), and they were able to get them unblocked. It taught me a lot about office politics: people are willing to return favors, so you should always make those connections.


>but that really tanked what little respect I still had for the administrators there.

I mean, why did you have any in the first place?

I've met very, very few employees of high schools who were worthy of any sort of intellectual or professional respect.


yeah, those inner connections were really important. guess it was a good thing my brother was friends with the tech person at our school.


Yep. It's also a general signal that you'r a good actor willing to do the work. An observer with no interaction can see what you did for the librarians and put in a good word for you somewhere without you ever even knowing.


> espite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever

Assuming you took the video at the top of the article, it was presumably trivial to figure out who was in the class you were in and then rule out everyone who appears on camera as the camera man. Or just ask the teacher...


For contrast, I once got suspended from the school computer labs for two weeks for the heinous crime of... running an unauthorized executable from a flash drive.

It was Rainmeter; I was showing it to a friend. The IT guy even was like "yeah Rainmeter's pretty cool, I read about it in a magazine". But it was auto-detected and school policy, apparently.


If they were that nazi-like with their IT policy, why wasn't AppLocker turned on?

Why report when you can simply administratively deny?


Same story but with putty.

My own child will never use a school-issued laptop or school wifi.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: