They Hacked Their School District When They Were 12
edweek.orgI'm almost surprised that school administrators are still pulling the same shit they did 19 years ago. I have basically the same story. I dropped out and got a GED after I was framed by a malicious network admin and expelled, the record of which followed me to each subsequent school. I still managed to work my way into having a career, luckily. But the effects on my family and my development as a kid were significant.
Not only is it unfair, it's hypocritical. First the school keeps the lamest possible security practices (or none at all), and then they punish the kids that stumble onto unprotected systems. It's like keeping unlocked storage closets where kids could get into harsh chemicals, and then recommending the state pursue criminal charges when the kids find them and spill them everywhere. The bigger question is, Why did the school leave the closet unlocked, and why is the school not held accountable??
To answer the article's question, they should partner with other school districts to offer advanced cybersecurity programs to gifted students. At the very least, get the kids to participate in something like picoCTF so they have an outlet for their talents. After-school programs in addition to more advanced online classes will really help.
But also, schools should stop being run by moronic fear-mongering administrators with no conscience.
A friend and I managed to gain superuser access to my school's systems (including remote screen access to every teacher's laptop) when I was in secondary school.
After a little playing around we handed the duty technician a post-it note with the superuser password on it and told them we would explain how we found it if they wanted.
I was summoned to the office of the head of IT, congratulated, asked to explain how we did it, and told that we had to keep the password a secret until they had a chance to fix the issues. A week later they told us it was fixed. After I graduated my school hired me as a freelancer.
This is in Australia, but I'm unsure how well my experience generalises here.
Because your school ran its own IT. In today's north america schools this is contracted out, or at least covered by a multi-school or district team who never talk to actual children. Any kid finding a flaw is a threat to that contract or system. Administrators dont want to look foolish, or admit liability for a flawed system, so they go after the kid (Modern privacy laws make them fearful of admitting anything.) Remember too that there is a culture in NA of adults seeing teenagers as a threat. They are suspect the moment they get to school. Any deviation from a norm only confirms that perception.
Our IT department each rotated through being the Helpdesk person who talked to kids all day. They ran our robotics club. If you were interested in mail servers, or LDAP, etc they'd invite you in to see the server room.
I suppose they felt they had a duty to teach us, just like the rest of the staff.
It seems school district security practices are pretty atrocious universally. In my junior year of high school me and a buddy realized that all passwords for our district were 6 digit numbers. We didn't have to be mad geniuses to realize how easy that would be to crack. And sure enough there was a webmail login form on the district's front page that apparently didn't involve a nonce or security token. So we whipped up a visual basic app (because that's all we knew) and cracked a teachers password in two days.
Once we were in, we eventually found access to the district website server and found the admin password for the entire district (it was a big district) sitting in plaintext on the school website server.
We were smart enough never to do anything malicious or even questionable, apart from getting there in the first place. And we kept it a secret for years. But the amount of sensitive info we had access to was unreal. That same password was used for every major system (school lunches, grading, etc).
And whats crazier is that about ten years later I had bumped into somebody at a bar who was on the IT staff for that district. He was stunned to hear the story, and even worse, that the same password was still being used.
You think your Visual Basic GUI could be used to track a killer's IP address? Because if so, that shatters my entire reality.
I have a similar story but I wasn’t expelled. I was locked in a room and yelled at for a couple hours. Ultimately, I was banned from the library. I loved reading.
The computer teacher setup a special curriculum for me that covered discrete electronics and I attended this in lieu of another class.
He was a former x-ray technician and taught me all about resistors, diodes, capacitors, inductors, you name it. He created binders with these components taped to work sheets with technical information.
The school was ran by a moronic fear mongering admin, but there were at least a few good people who saw I was different. I probably wouldn’t be here today if it wasn’t for that teacher.
We might be doppelgängers. However, you do have to acknowledge that schools and budgets for education infrastructure will NEVER be adequate. I do agree with your suggestions though: tap into those students and offer them an outlet, while stressing the ethical and legal concerns with this line of work.
Also happened to me when I was in high school, but luckily my mom was able to convinve the school to drop everything.
The school is not only incapable of provoding a quality education for these super smart kids, but they also were exposing everyones data in a negligent and reckless way. Where is the punushment for the network admin?
Seems like the real lesson here is dont be a black hat hacker, or at least if you are gonna do that, dont get caught no matter what. The truth is if they werent minors theyd be totally fucked for this. I imagine lots of us here had similar experiences. Its natural enough to want to explore and play with this kind of thing. But life isnt fair, and that is an important lesson we all have to learn at some point.
If I knew either of these guys I would hire and mentor them right now.
Wow, expelled?!?
After a similar inicident in middle school, my only punishment was that I had to start a computer club at the school and run it with the IT guy that got pwned.
Although I detested the punishment at the time, it turned out to be a lot of fun. I got to build PCs on the school’s dime.
It is worth considering that we've gone through several moral panics about "hacking," particularly in the late 1980s and early 1990s.
That's why computer crime laws are so disproportionate (e.g. spray paint a physical sign get a $100 fine, vandalize a digital sign get five-ten years in prison). They were written when a bunch of ignorant lawmakers were freaking out about hackers turn off electricity or wiping out the stock market.
Yep.
I've been shouted down at our work book club while reading Mitnicks memoir. I said that a good amount of early hacking was "e-trespass" and "e-vandalism". The non-e versions of those crimes are low grade misdemeanors.
Yet, it was a bunch of shitty laws that somehow elevate them to manslaughter and 2nd degree murder equalivalent.
This might be also because most governments and police absolutely lack the knowledge to catch any cybercriminals or to even understand the crimes. The punishment isn't surprising to me if I take their fear into account.
"To answer the article's question, they should partner with other school districts to offer advanced cybersecurity programs to gifted students"
Funding laws could disallow this. For example, in Indiana, two schools cannot jointly hire a teacher. They can both hire the teacher part-time if they'd like, but the teacher wouldn't get full-time benefits. (My father worked as a business manager in different school systems in Indiana).
The entire reason for this is funding laws. I think this is a consequence of funding schools through property taxes, but I'm not sure. I'd really like some of this to be changed so there is more flexibility and less difference between area schools, but that isn't how these are designed.
Is it just me or does the story inexplicably blow up the boys tech proficiencies and then almost casually mentions that all they did was log in to school computers with credentials from a post-it on the machine itself in a public space?
How are they at fault if said credentials grants them access to unprotected sensitive records and an obviously badly exposed administration system?
They boys are clearly tech-savvy to a degree (they build their own PCs, mined crypto, understood Windows user permissions, etc.), but I seriously doubt that they would or could have broken into the district's systems without two things: 1/ an admin password left on a sticky note and 2/ clear text storage of other user passwords in an excel file published in a shared folder on the first machine they accessed (a public machine in the middle school library!). Other issues: old user accounts left still active; no review of access logs or logs of server usage (which would have spotted Monero mining). Note: the boys reported that passwords on sticky notes was routine throughout the district (and how they got access to the security cameras, too).
It goes to show the districts poor understanding of technology that their incompetence led to calling what they did ‘hacking’
Another breathless article about l33t hacking where the method is just stumbling across passwords.
It’s like a bank leaving its doors and vault open, and whoever walks in and grabs the money being lauded for his bank robbing prowess.
Also, they are very much at fault for knowingly using someone else’s credentials. It doesn’t matter how easily they obtained them.
I had a similar level of access to my school's network when I was 12. It was really easy, just watch the teacher slowly peck-type her password. It was "teach". That gave me access to everything for her class.
Later on she had to log in to the admin account, and that password was "burger". It turned out to be the password for every admin account in every school in my district. I'm guessing they were all set up by the same guy, with a note saying, "make sure to change the password!"
I had access to EVERYTHING. But, I was a pretty good kid, so I just poked around enough to really verify that I could do anything and then I logged out and never logged back in. I was terrified that I was going to get in huge trouble just for accessing things I shouldn't have.
> It was really easy, just watch the teacher slowly peck-type her password. It was "teach".
Exact same story on my side, and the password wasn't much better either. The worst is that she hinted at what the password could be (I assumed it was a joke to calm down curious kids) but it was totally right when I managed to actually see that password for myself.
The computer password in my school was "secret". We'd always ask the teacher for the password and we were told "its a secret".
One day (1994) during AP CompSci, my friend was looking for ways to bypass the cheap Mac System 7 lockdown software ("Mac Control" by BDW Software). He found the fill that changed during password changes, and was astonished to find it was the same length as the password. (N character password -> N byte file)
Me: That sounds trivial to break; have you tried XOR?
Friend: I'll try that now. [Tries ONE value] It's just XORing each character of the password with 0xC9!
Me: Wow, that was fast. Why did you guess 0xC9?
Friend: 0xC9 is 11001001.
Yes, my friend was a huge trekkie. ( http://memory-alpha.wikia.com/wiki/11001001_%28episode%29 )
We spent the rest of high school getting strange looks from teachers that hated that we always seemed to know their passwords, but also wanted our help fixing their computers.
> Me: That sounds trivial to break; have you tried XOR?
> Friend: I'll try that now. [Tries ONE value] It's just XORing each character of the password with 0xC9!
Really? You kids just guessed it on the first try? I'm skeptical.
Is is that hard to believe that two different trekkies (my friend, and possibly the author of the software) might have picked the same "random" constant that just happened to be the title of a TNG episode? It was very surprising at the time, but plausible given that people give VERY non-uniform-random values when asked to pick a random number.
Meh, believe it or not, it's what happened. The real lessons are that XOR isn't a very secure hash function, and a lot of high school level "security" has often been little more than a cheap facade.
On hindsight, his friend might XOR a known password's hash with the clear text to uncover OxC9. But coming up the idea on the spot is pretty smart as well
I wonder if the security guard or the librarian who left the post-it notes on their machines are reprimanded in any way. Or the librarian who left the student list excel file unlocked on the machine, that contains sensitive information.
While what the kids did is simple to us, it is magic to these other people who can't even fathom the security implications of such a system. And that's the scary part. The technology is adapted faster than it is being understood.
Probably not. There's hardly ever a push to get staff members trained in ways like this for a myriad of reasons, some of which are sound. The irony being, the next week an admin could be phished or have their account compromised in the same manner. There just seems to be this acceptance that, much like the view of the current public education system, it's not worth the investment to improve.
I hate that cultural thing where actions like this are treating as something good to be glorified - while simultaneously threatening them with jail.
What about not overreacting either way, teaching them right and wrong, legal and illegal too and punishing them in age appropriate way without involving cops.
So close to my own memories! Back in Sydney the mid 90s at perhaps 15 I reconfigured a modem to allow for dial-in then explored the regional network of the NSW education department remotely in the evenings. The machine was intended to serve code, which we set up for diskless network boot and distributed games like Quake for network deathmatch (we also wrote our own from scratch, eg. we had a nibbles.bas hacking competition where we modified multiplayer single keyboard versions to add features ... I recall flamethrowers, mines and lasers). We also used to play crobots. I stopped exploring the network after teachers started perplexingly asking questions if anyone was in the school computer room later in the evening. Similar to the subject of this story, it was really just curiosity, and I was also later offered a job with an ISP as a result of the control obtained, where I made my first RIP advert mistake, learned to tar to and from tape, and other such fun. Also managed to intern at Fuji-Xerox where the Unix admin department had me learn bash scripting, walked me through cabling and network topology management techniques and I got to self-educate through a broad range of Cisco online learning courses. Fun times. Years later used essentially that body of knowledge to design and operate substantial Linux clusters. I have worked in many continents in areas as diverse as embedded, clustering, mobile, digital video, finance, and now run a robotics company in China. At the time I recall I just hungered for knowledge and wanted nothing more than a teacher to point the way to new areas. One of the accidental teachers who popped up on my periphery was Julian Assange, whose strobe got me in to protocol analysis and much reading of RFCs which resulted in announcing ~1999 many discoveries of undisclosed remote OS detection techniques across protocols like ICMP, IGMP, and even ARP. I've since written a few internet standards drafts of my own. Key insight for kids in these spaces ... it's harder to create a system and defend it than to find holes in them. The parents are correct to encourage building versus breaking. Breaking is very important also, however, but should ideally be encouraged with a parallel focus on professional ethical development and perhaps anthropological/philosophical insights as a personal frame of reference in to the established national/educational/legal bureaucracies who may otherwise seek to spurn talented and unique individuals such as these.
The district should hire these guys, because they're obviously more competent than the current IT staff.
Speaking to the ineptitude of the district, you have to understand that a lot of districts are horribly understaffed and/or mismanaged. "Best practices" from an IT perspective is often an unknown or misinterpreted/ignored to band-aid disparate systems RIGHT NOW because someone forgot to renew a license or so-and-so at DO got this great deal on some (most-likely) Pearson product from a frat-brother/neighbor/family member. There is no room for growth professionally and not much in the way of training/certification that doesn't require the employee learning on their own time and dime.
Soul-crushing lack of accountability is a factor as well. Outside of physically assaulting someone or stealing a bunch of shit it is almost unheard of for someone to be terminated for either incompetence or negligence unless it's so optically bad for the district or administration as a whole that they have no choice.
Then you have to take into account the skillsets that you're left with when capable people leave. In my experience, those that can swim best often jump ship first and with them take knowledge that was either carelessly preserved or is totally unattainable by the staff that remains. Positions are sometimes never back-filled leaving less capable staff to pick up slack and the cycle continues, things get overlooked and stagnate and smart, bored kids own your ass.
With the school being technically inept, how did they get caught?
Other students tipped off school administrators when a network filtering bypass devised by one of the two boys went viral across the district.
If they just got in, didn't break stuff, didn't copy test papers or change grades, didn't victimise anyone - just took some electric and processing power - then they resisted a lot of temptation (or didn't realise quite the power they were holding).
Give the proceeds to charity, repay the electric from their own pockets (eg by doing chores), get them on a course or give them hardware to set up comps they can hack at legally.
They had computers to hack legally at home. One of them was building mining computers, so apparently he had also access to money to buy hardware.
It was not lack of access or lack of outlet. It was lack of boundaries and access to school network was not the only behavioral problem mentioned in the article.
So they mined crypto, installed backdoors, accessed camera footage... and the story is generally positive and defensive of them[0]. This clearly goes beyond "just a prank" and depending on the severity ranges from very irresponsible to anti-social and malicious.
[0] for the record I don't mean it shouldn't be, it just sounds bad enough, so imagine how bad a non-charitable take would be
By 'backdoors' are you referring to the TeamViewer client they installed on a student computer in the back of a science classroom? If so, suddenly my grandma is now a leet hacker.
That is backdoor, just not particularly leet or advanced. Low skill hacking and backdoor are still hacking and backdoor. Article makes them sound like cybersecurity geniuses, not comment here. Article is all odd.
Imo, the actual tech achievement there (for that age) is building mining computer and learning javascript basics from video. Which is more then other kids can do and shows some self motivation.
Remote Access Trojan is more fitting I guess?
Also note the article is pretty explicit that this compromised computer gave them access to the entire network. And "servers" is in plural when it talks about crytpo-mining. Likely this is how they controlled the mining operation.
A school system, where this level of potential and passion goes unnoticed and unharnessed for good, is a broken system. The full extent of their exploits remain unclear, due to ongoing legal action, but it should have been detected well and truly before it got to the CCTV access stage.
I'm wondering how one would break into a CCTV system without physical access. Are these systems connected to the internet?
If you're referring to the boys, they found a sticky note on a guard's laptop containing the login details.
For general cctv, many are installed to allow monitoring while away from the house. Nanny cams for example.
Installing cctv to an existing network will put it online automatically.
The most important issue to consider is these devices - routers, cameras, alarms, locks... come with default passwords. And almost no one changes them. So anyone who knows which port (Shodan search engine, port scanner) to look has a high chance of getting entry.
Ok, thanks. I was under the impression that CCTV systems are always "closed systems", in the sense that one can watch the recorded video only after an incident (where an authority has to provide the password).
This might not be relevant with modern systems, but about five years ago security camera systems were common where the individual cameras were connected to the local network and to watch them you would open some special program on a Windows machine. The cameras themselves had administration pages served over HTTP and they ran an ancient version of Linux.
Although I never tried, I’m guessing that all you would have to do is guess a password (not hard if it’s in a spreadsheet) to a UDP stream accessible through VLC. If you couldn’t guess the password, the software on the cameras is so old that you could find a plethora of exploits to use to get root and reset the password.
Similar story here, but very different outcome. Messed around a bit in junior high, but in senior high our school had their home-built web-based intranet. Several security issues (at least half of OWASP 10 basically), so escalated that to full access of db with cracked account passwords. Windows AD network and I don't remember the details but it involved a service account with a weak password, Remote Desktoping into some admin server and getting a local copy of a database with NTLM hashed passwords, cracking those for all users. I didn't actually do anything much apart from just exploring the security aspects. Didn't probe in private messages between teachers (definitely in their internal message boards though!), try to look at the grading database, etc. Eventually got caught because one of my two friends who were in on this had got caught having the wrong window open at school and they got on to us.
That was nerve-wrecking.
There was a whole internal crisis around it - it was not a huge school, private IT and media school with less than 1000 students at the time. They had logs that made me have to admit and I effectively got cut off the AD. Game over.
However, I still had a private 0day for the intranet so I could see what they were writing about what to do with the situation. It seems like the consensus was to turn us in to the police - just like with the boys in the article. But then our head of school posted an MP3 file on an internal closed message-board arguing for how this was not a way to to this and instead we got "detention"; I had to build a web app and database for connecting students to companies for internships. Which was pretty fun.
Some time after graduation and military service, the head of school calls me out of the blue and wonders what I am up to now. Apparently he had moved on from the school and was now working with one of the most famous web entrepreneurs in our country with a small startup in the town where I went to high school.
So that's how I got my first full-time job, where I learned a lot.
Morality aside, which approach was more constructive here?
My freshman year of high school we had similar access. Mostly used it for auto-installing Doom on all the library computers at once every time the poor admin went through each computer and manually deleted it.
One friend wrote a fake login program that would immediately quit and run the real login program so we could collect credentials.
Another friend got in real trouble though, supposedly for either trying to or actually changing grades. I knew we could get in trouble. But I also never would have considered doing anything other than pranks.
Of course, even pranks can be dangerous. One of my friends found an open mail server (not that there were any shortage of those at the time) and sent some prank emails that could have gotten him in real trouble.
This article and all the comments here are really making these kids out to be heroic geniuses. Maybe, just maybe, they knew they were breaking some pretty serious rules. Because, you know, while not exactly geniuses, they weren't idiots either.
That's what kids do though. They break rules, test boundaries. You give them enough of slap on the wrist to teach them to never do that again. Not expel them and ruin their future. Especially if it's true what the article says that one of the kids had a behavioral disorder!
I first profiled the story of one of the two boys at https://k12cybersecure.com/blog/moths-to-a-flame/. AMA.
could you comment on this message please? https://news.ycombinator.com/item?id=18421274
The school taped passwords for anyone's eyes. What did they expect? Based on the available info, all the boys did was use available login details, and installed remote login software and cypto mining software and played cia surveillance.
The school's extremely negligent / tech poor and they want to hide their embarrassment by blowing up the skills of the boys. Anyone who has used team viewer will testify that it's impossible to hide a remote viewing session from the client screen.
The boys should sue for entrapment.
At the ETS in Amsterdam the system was set up in such a way that you only got so many compute seconds per schoolyear. I spent nearly all my budget defeating the accounting system so I could have unlimited computer access. That and drafting classes were the few interesting things in that school, the remainder was very basic electro technical and electronics stuff.
If you like this story you may like this podcast episode. 15 year old hacks his school and gets more than he bargained for. https://darknetdiaries.com/episode/17/