3rd Grader Accused of Hacking Schools' Computer System

Gud writes "According to The Washington Post a 9-year-old was able to hack into his county's school computer network and change such things as passwords, course work, and enrollment info. From the article: 'Police say a 9-year-old McLean boy hacked into the Blackboard Learning System used by the county school system to change teachers' and staff members' passwords, change or delete course content, and change course enrollment. One of the victims was Fairfax Superintendent Jack D. Dale, according to an affidavit filed by a Fairfax detective in Fairfax Circuit Court this week. But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker.'"

More likely,

[PhrostyMcByte]

Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!

Re:More likely,

[$RANDOMLUSER]

Even more likely: Had security been adequate to keep out a determined nine-year-old, it also would have completely stymied the teachers and administrators.

Even more likely than that: Some teacher who "knew a lot about computers" set up the system in his/her spare time.

Re:More likely,

[G00F]

for a 9 year old, that would be skill.

Re:More likely,

[nametaken]

Let's not make excuses for the fact that Blackboard SUCKS in every conceivable way, as it has since schools first started using it.

If there's any problem at all with some staff member's abilities, it manifest itself in the decision to license that pile of trash in the first place.

Re:More likely,

[coolsnowmen]

Agreed, noone starts programming w/o ever seeing someone elses code. Most of my code now is from scratch (or from my own previous code), but at one time I looked at a lot of examples from books/internet to see how things were done.

Re:More likely,

[$RANDOMLUSER]

Having been a teacher at the local community college, and having used that egregious POS, I have to agree completely. I'd think rather be homeless (or be sentenced for life to use Access) than have to deal with Blackboard again.

Re:More likely,

[RobDude]

In my experience - this.

I don't know why schools are this giant black hole of suck - but they are. My school was very well-to-do, and had some of the highest paid teachers in the country. I don't know why they could find an IT guy who could follow industry accepted best practices.

If you can't stop a curious, bored, student - who really doesn't know jack; you have no business working in IT.

I love how everyone wants to attack the kids in these school + computer security cases. Nobody ever wants to talk about the trained 'professional' whose job is to prevent these things - getting schooled (haha) by a kid.

Instead of kicking the kid out of school - why not fire the IT guy, get a real IT guy, and then, let the kid (who will proudly offer it up) show the new IT guy what he did. The new IT guy will shake his head and go, 'Yeah - that should be locked down'.

Re:More likely,

[Minwee]

Oh, come on -- it couldn't be THAT bad.

Oh, yes, Access certainly is bad enough to be compared to Blackboard.

Re:More likely,

[AngryNick]

As my 8 and 12 year old daughters have explained it to me, it is more likely that Junior guessed the username/password for a few key accounts and leapfrogged up the food chain from there. The student accounts in the lower grades are generally based on the student's id and a formula driven password that any 2nd grader could figure out. More cracking that hacking.

This is just one more thing to add to my list of worries for my girls:

• Getting knocked up
• Locking me out of their Linux machines
• Going to jail for hacking blackboard

Re:More likely,

I don't know why schools are this giant black hole of suck

Multiple reasons. First off, schools don't pay shit. If you have the skills to do IT for public K-12 schools then you have the skills to get a far better job in the corporate world. And secondly, schools are horrible places to work. I worked in IT from 1996 through to the summer of 2009. During that time I had a couple of short stints where I worked IT in two separate K-12 school districts and they were easily the worst jobs that I have had in my entire life. In one of the places I was something like the twelfth IT director that they had hired in the past few years. The turnover rate was approximately one per every eight weeks. It sucked that bad.

IT in schools sucks because nobody with any skill is willing to do it. It is shitty work, you are treated horribly and you are paid poorly.

Re:More likely,

[fuzzyfuzzyfungus]

I've done some school IT work.

Here's my experience: The pay is pretty unexciting; but the pressure is correspondingly low. Corp pays better; but teachers are so much nicer to deal with(obviously teachers aren't 100% angels, and corporate isn't 100% nutjobs; but the difference between working in a place where the average response is "Hey, thanks a lot for fixing that!" and one where the average hovers around "OK" or "Well, why wasn't it done yesterday? I have things that need to get done!" makes a fair difference in one's state of mind at the end of the day). Because the pay isn't so exciting, you don't get many of your truly driven types; but because the conditions are OK, you do get better help than you would expect.

The real kicker, security wise, in my experience is the demand for ease-of-use and heavy use of various ghastly legacy software(stuff that shipped with textbooks and whatnot). I spent a lot of time grovelling through psmon traces, trying to get crap to run under limited accounts with as few security-compromising modifications as possible. Still, sometimes, you just had to do gross stuff to make it work.

The ease of use thing caused some limitations as well. Yeah, we knew that kids were bringing in crap on flash drives. Could we have stopped that trivially? Sure. No big deal. Except the shitstorm that would break out when all the faculty and students who shuttle work to and from school on flash drives learn what they can no longer do. Internet filtering was in the same bucket. Yeah, we have a firewall and a proxy, we can be as draconian as you like. Wait, so you don't actually want draconian? Ok. Yup, we knew that we could use Software Restriction policies, make sure that the set of locations that users can write to/mount from external media and set of places from which the system will execute binaries are disjoint, all that stuff. No problem. We could even set it so that ain't nothing gonna run unless the IT department has signed the binaries with their own private key. Guess what? The users, and Admin, would have had our heads. Teachers shoving in CDs from various textbooks and expecting the (usually Macromedia director based) content to Autoplay was a daily use case, among numerous others.

Then you get into the issue of legacy server software. Just as "enterprise" can be used as a epithet when describing software quality, and most enterprises of decent size have some real horrors lurking at the dark heart of their IT-assisted business processes, so does education. Bespoke crap, student information databases that were designed by people who thought that Windows 3.1 was too visually elegant and user-friendly, and that SQL was something that happened to other people, that sort of thing.

I don't intend this as a general apology for the state of educational IT, some of it is incompetence driven; but, a lot of it is pretty much like corporate IT, just with less money(and corporate IT has a few security issues of its own.) The same basic dynamics are in place. Some incompetence, some crap legacy software that you can't get rid of for organizational reasons, some security measures that are possible; but would cost too much or upset too many legitimate users, and so forth...

Blackboard - the biggest educational POS EVER

[Khyber]

I could hack that POS in my sleep, and have multiple times. The University of Redlands has some of the most incompetent IT administrators EVER - hack blackboard, get access to student accounts, surf the web on their network with not a goddamned one of them being the wiser, under an account that I could use to frame that person.

Doesn't help their wireless AP broadcasts into my apartment at such a high power level that it blocks out most of the other wireless APs when it's engaged. 5 bars on my router two feet away? As soon as a game starts up in their sports complex, I lose my router and I get a big fat UoR signal. I hack it EVERY SINGLE TIME and they're still not smart enough after several warnings to ditch blackboard and ResNet and find something more reliable.

Re:Didn't see that one coming.

[Fantastic+Lad]

No kidding!

That brightened my day considerably. Though in a perfectly sane world, the police would never have become involved in the first place.

-FL

you can't seriously be defending childs

[circletimessquare]

childs had a god complex: "i am the only one who has the right to administer this network"

he built the network for san francisco. san francisco had every right to do whatever it wanted to do with the network they hired him to build. if san francisco wanted to hand out passwords to the network to hackers, san francisco has that right, and childs has no right to any say on the matter

the man was not protecting the security of the network, the man believed he and he alone had a right to decide what to do with the network. the man has boundary issues: he felt attached to the network like it was his child. he probably invested a lot of time and energy into it, but so what? there's such a thing as taking pride in your work... then there is psychotically remaining attached to your work and assuming you and you alone can forever more decide how your work is used

he was reimbursed for his work. end of story. his actions are completely indefensible. the man needs psychological help, you have no valid basis to defend the wackjob. lock childs up, he only deserves punishment and psychological treatment

and furthermore WHERE THE HELL DO YOU GET OFF COMPARING TERRY CHILDS TO A NINE YEAR OLD

Re:What's his Slashdot name?

Real hackers don't do slashdot. This place is lame.

Re:FTFA

[Kaboom13]

As a youth in high school, I knew the passwords for 90% of the administration. With it I could have changed the grades, class schedule, modify the student record, or even suspend any student in any school in the entire county. How did I know it? I didn't hack anything. Teachers frequently told me their passwords so I could help them with computer problems (the only full time IT staff at the school was hired because he was someone's cousin, and a good basketball coach, and the county wouldn't give them funding to hire an actual basketball coach). It didn't take long for me to realize they followed a simple pattern based off the teacher's name. It was an easy jump to realize the administrators had the same pattern. They were supposed to change it when they logged in the first time but few knew how and even fewer bothered. I could have easily caused a lot of mischief, accessed confidential student records, or boosted my grades (something that would never be noticed because the scantron system teachers used to input grades frequently made errors, and administrators would fix them with only verbal confirmation) but I didn't, because it would have meant violating the trust of a couple of excellent educators who had truly gone above and beyond in a system that rewarded politics and actively punished excellence.

The point being, security in schools is often terrible, and it does not require hacking skills to acquire the credentials or access to systems a student should not have access to.

You gotta be kidding!

[woboyle]

I imagine this has already been said, in some form or other, but if their systems were SO insecure that an 8 year old could compromise them, then the school officials themselves should be charged with gross incompetence and fired summarily!

Re:Dade Murphy?

[gnasher719]

And you are wondering why Europeans laugh hysterically when Americans tell us they live in the freest country in the world.

Re:Dade Murphy?

[Bob+Cat+-+NYMPHS]

>they can abuse net send

If ONLY there were a way to disable that!

Boy, this computer stuff sure is hard!

Re:Dade Murphy?

[arekusu_ou]

1. UK doesn't not represent Europeans. I think UK is one of the worst in terms of liberty in Europe.
2. US and European are not the only ones in the World.

Europeans laughing; that America is not the freest country in the world, does not infer that they feel Europe is the freest "country/continent" in the world. That would be an interpretation of the statement.

Re:NOT a hack, NEW Wash Post story clarifies:

[sreservoir]

if a teacher can change the superintendent's passwrod, you have a problem right there.

As an European I respectfully disagree

[LienRag]

Well, America is a free country.
We are a free people.