3rd Grader Accused of Hacking Schools' Computer System

Gud writes "According to The Washington Post a 9-year-old was able to hack into his county's school computer network and change such things as passwords, course work, and enrollment info. From the article: 'Police say a 9-year-old McLean boy hacked into the Blackboard Learning System used by the county school system to change teachers' and staff members' passwords, change or delete course content, and change course enrollment. One of the victims was Fairfax Superintendent Jack D. Dale, according to an affidavit filed by a Fairfax detective in Fairfax Circuit Court this week. But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker.'"

Dade Murphy?

[Tumbleweed]

Zero Cool strikes again. Mess with the best, die like the rest!

Re:Dade Murphy?

[sir+lox+elroy]

ROFLMAO I Love this article, and sad part is he was the first thing I thought of.

Re:Dade Murphy?

[WrongSizeGlass]

Or maybe Oliver Wendall Jones?

Re:Dade Murphy?

[AlamedaStone]

Or maybe Oliver Wendall Jones?

You must be old here.

Re:Dade Murphy?

[nottheusualsuspect]

I was thinking more along the lines of using him to command our fleet against the Buggers.

Or at least he could lash back (electronically) at Bernard (cover your butt, he's watching!)

Re:Dade Murphy?

[cosm]

When I was in high school, I was in the library one time working on a project. The internet was acting flaky, so I fired up the command prompt. A nearby librarian saw me running ipconfig, and immediately notified the principle. I was sent down to the office and screamed at by the principle and a few other administrators for exhibiting 'possible terrorist activity'. They banned me from computers for the rest of my senior year, and I had to go to 2 after-school detentions, (A+ student, no prior record at the school). Even after trying to explain myself to the district IT admin, I was fed the line "You were doing something unauthorized, so you pay the price".

Fuck you WHS.

Re:Dade Murphy?

[severoon]

Whoops, I think there's a minor error in this summary and the headline of the article. It should read, Fairfax County public school system administrators criminally negligent in securing sensitive data. There, glad I fixed that...

Re:Dade Murphy?

[gnasher719]

And you are wondering why Europeans laugh hysterically when Americans tell us they live in the freest country in the world.

Re:Dade Murphy?

[karnal]

I did a net send (under my account, unfortunately I didn't think to use the "public" account on the machine) to the cafeteria that said "Hello, -cafeteriaworkernamehere-"

A few days later, my account wouldn't work. So, went to talk to the admin. He stated that doing that froze up the computer that the cafeteria worker was using, so his response was to disable my account. Without telling me. I didn't really get in trouble for it, but it did serve a purpose - making me come to the admin and explain what I was doing.

I still hate the fact that some admins think it's ok to just cut someone off without at least offering the olive branch of "Hey, do you know you did something stupid?" - I've got some related work stories from people who are less than customer service friendly that have done the same thing. Kinda grates me a little....

Re:Dade Murphy?

[History's+Coming+To]

It is kind of funny (I'm in the UK), but I'll tell you what, I could be arrested in this country for the fact that I sympathise with people who carry out suicide bombings. Honestly, I do, I mean how bad must things be if they really feel that blowing themselves up in a busy public place is an appropriate action? They must be absolutely desperate. I'm not saying I agree with their methods, I'm weird because I'm an atheist who for some odd reason also believes in the "no killing" rule. But the point remains that the state here can arrest me for sympathising. I'll leave the argument of whether the state or suicide bombers are a bigger threat to my "freedom" (whatever that is) to the reader. I'm not sure yet.

Re:Dade Murphy?

[bragr]

I recently started working IT for a University, and one thing that I learned very quickly, is that, especially in a Uni with a large CS department, there are so many people that think they are "1337 h4xoR$" because they can abuse net send, or figured out how to use Slowloris, or other such things, in addition to all the other fires that need to be put out, like worms spreading over the wireless network, that we don't have time to be nice to people that are screwing around on the network. We are more interested in solving problems quickly than making friends.

Re:Dade Murphy?

[Bob+Cat+-+NYMPHS]

>they can abuse net send

If ONLY there were a way to disable that!

Boy, this computer stuff sure is hard!

Re:Dade Murphy?

[Eggbloke]

In my school I doubt anyone knows what a command prompt it. I have been using
mkdir C:\HACKERSONSTEROIDS
for ages to annoy them and no one even seems to have noticed.

Re:Dade Murphy?

[tompaulco]

You had the internet in High School? Luxury! ipconfig hadn't even been invented when I went to high school. It was so early in the computer era that they still thought keyboarding ought to be a prerequisite to a programming class.

Re:Dade Murphy?

[newcastlejon]

Tell me, what act proscribes sympathising with suicide bombings?

Publicly extolling such a course of action and potentially inciting others to do so is one thing, but I seriously doubt the Crown would prosecute a case against your freedom of thought.

You aren't the first person to publicly express similar sympathies and you certainly aren't the most well-known, yet I fail to recall a single instance of such a person appearing in the dock. Personally I agree that resorting to any kind of suicide attack does reflect the desperation of the attacker and their cause, but frankly anyone that purposely attacks civilians with such little regard for complicity deserves nothing but contempt.

N.B. Terrorists are probably the new Hitler viz. Godwin so please don't waste your mod points here; this post is for the benefit of the parent. Err... kthxbye... etc.

Re:Dade Murphy?

[arekusu_ou]

1. UK doesn't not represent Europeans. I think UK is one of the worst in terms of liberty in Europe.
2. US and European are not the only ones in the World.

Europeans laughing; that America is not the freest country in the world, does not infer that they feel Europe is the freest "country/continent" in the world. That would be an interpretation of the statement.

Re:Dade Murphy?

[ptbarnett]

ipconfig hadn't even been invented when I went to high school. It was so early in the computer era that they still thought keyboarding ought to be a prerequisite to a programming class.

[Insert obligatory story about learning to use a keypunch in high school]

Hang on... I gotta go tell those damn kids to get off my lawn.

Re:Dade Murphy?

[General+Wesc]

screwing around on the network

You do realize you're responding to a post about someone running ifconfig, right? And subsequently being accused of exhibiting 'possible terrorist activity'.

We are more interested in solving problems quickly than making friends.

That itself is a problem that should be one of your top priorities.

Re:Dade Murphy?

[b4dc0d3r]

We've just been waiting for someone to confess. Answer the doorbell!

Re:Dade Murphy?

[The+Yuckinator]

That was great. Replying to say so to undo a drunken-clicked moderation. Thanks for the laugh!

Re:Dade Murphy?

[mattr]

People don't realize how loud the keypunch is, it gave me a feeling of power!

Re:Dade Murphy?

[Xest]

"I could be arrested in this country for the fact that I sympathise with people who carry out suicide bombings."

Yes, you could be, perhaps, in some alternative reality.

But in the real world, no, you couldn't. There is no law in the UK that would cover arresting someone for sympathising with suicide bombings, there is however a law against encouraging others to commit suicide bombings which is presumably what you're thinking of.

In the UK we're certainly not free, but that doesn't mean that Americans are particularly free either. I've encounted a couple of events in the US and with friends in the US lately where people have run afoul of city ordinance laws.

A friend in Virginia wanted to get rid of the grass in his garden in the US and fill his garden with native plants from that region, but couldn't because it would breach city ordinance laws. There was a similar case in California where a couple wanted to do away with their grass and plant xerophytic plants to save on water consumption, but also ended up breaching city ordinance laws.

It's not just that though- look at the guy who was naked in his house and got arrested for indecent exposure following a complaint by a woman and her daughter even though the only reason they saw him was because they were trespassing on his land to start with.

At least here in the UK you can get rid of grass in your garden and plant something else, at least your garden is your garden, and your home is your home.

Labour has a lot to answer for in raping British civil liberties, but it's foolish to imagine you're anymore free in the US. The difference is of course, there are a bunch of people in America who like to consistently remind the world of how free people in America are compared to the rest of the world, even though they're clearly not.

Re:Dade Murphy?

[i+ate+my+neighbour]

My Internet connection at the campus dormitory was suddenly cut with no apparent reason. I checked that my cable was OK, asked if any other students have problems. IT people didn't reply my e-mails so I went there in person. It seems that I had some malware on my computer, automatically attacking others in the network, and IT cut off my access for two weeks as a punishment for my offence, without telling me anything. I told them I was immediately going to clean my system, but I had to go through some idiotic bureaucracy to get connection before my punishment is complete. I had less than two weeks to finish my BSc thesis.

More likely,

[PhrostyMcByte]

Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!

Re:More likely,

[Rary]

Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!

Actually, although TFA doesn't provide any details about how the "hack" occurred, they do differentiate between this and a similar case where someone merely obtained someone else's password. The implication of the article is that there was actual technical skill of some kind involved.

Re:More likely,

FTFA:

In January, students at Churchill High School in Montgomery County broke into their system to change grades, but that involved stolen passwords, not hacking, and did not involve Blackboard, Montgomery police said.

Re:More likely,

[$RANDOMLUSER]

Even more likely: Had security been adequate to keep out a determined nine-year-old, it also would have completely stymied the teachers and administrators.

Even more likely than that: Some teacher who "knew a lot about computers" set up the system in his/her spare time.

Re:More likely,

[digitalunity]

Probably not much skill required. Anecdotal I'm sure, but I've read online of other "hacking" done to Blackboard's software.

This kind of leads me to believe they just have really shitty security. Reminds me of the screen lock software they installed on the old Mac's we had when I was in middle school.

Move the mouse and it appears to ask you for a password, but click in the very far lower left corner and it let you in...

Any security device designed with an intentional circumvention probably has a security hole also.

Re:More likely,

[jimbolauski]

by skill do you mean running a script that was copied from the internet.

Re:More likely,

[commandermonkey]

ABS News has another article about the incident:

According to a search warrant, the computer savvy boy was able to get a hold of an administrator's password at Spring Hill Elementary to get into the Blackboard learning system

http://www.wjla.com/news/stories/0410/726170.html

Re:More likely,

[Mister+Whirly]

Well, now they can hire the 9 year old to be their systems admin. He obviously knows more about security than they do.

Re:More likely,

[FooAtWFU]

The Winston-Salem/Forsyth County public school system had a security system of some sort for years where the password for all the teachers was "teach". This was a pretty well-known "secret" among the student body. It might have mattered if you couldn't have snuck around half the lame restrictions anyway with some selective right-clicking on folders in the 'Save' and 'Open' dialog boxes of IE or Notepad.

Re:More likely,

[G00F]

for a 9 year old, that would be skill.

Re:More likely,

[nametaken]

Let's not make excuses for the fact that Blackboard SUCKS in every conceivable way, as it has since schools first started using it.

If there's any problem at all with some staff member's abilities, it manifest itself in the decision to license that pile of trash in the first place.

Re:More likely,

[coolsnowmen]

Agreed, noone starts programming w/o ever seeing someone elses code. Most of my code now is from scratch (or from my own previous code), but at one time I looked at a lot of examples from books/internet to see how things were done.

Re:More likely,

[spazdor]

Yeah, preteens ain't got any skillz unless they've coded their own sploit. I bet this kid doesn't even know how to write kernel patches. What a retard.

Re:More likely,

[JWSmythe]

    We all have to start somewhere. First it's discovering that it can be done. Then it's migrating to script kiddie level. Before you know it, he'll be writing the next killer app. I'm glad that the police were invited to step away so the school could just warn him where the fine line is between knowledge and abuse.

Re:More likely,

[$RANDOMLUSER]

Having been a teacher at the local community college, and having used that egregious POS, I have to agree completely. I'd think rather be homeless (or be sentenced for life to use Access) than have to deal with Blackboard again.

Re:More likely,

[spazdor]

Hah. I remember those lame-ass win95/98 "kiosk" mods. I think my school used one called FoolProof.
No actual program execution control or permissions policies, they just disabled some UI elements (like the Incredible Vanishing Start Menu) and hoped that no teenager had ever used a CLI before.

Re:More likely,

Rumor has it the password was PENCIL.

Re:More likely,

It doesn't appear as though it was a hack after all - merely a student with a privileged user's password:
http://blog.blackboard.com/blackboard/2010/04/reported-hack-not-the-case-clarification.html

The Washington Post has issued a correction/clarification:
http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html

Re:More likely,

[SanityInAnarchy]

Even more likely than that: Some teacher who "knew a lot about computers" set up the system in his/her spare time.

That seems far-fetched. There are FOSS tools like Moodle -- Blackboard, by contrast, is going to cost you. As their website doesn't specify a price, you can expect the price to be tailored to your individual institution, or in other words, likely several hundred dollars at least, probably in the thousands.

That's a guess, but it seems doubtful, or at least stupid, to allow "some teacher who knew a lot about computers" to have that much purchasing power.

Re:More likely,

[Hognoxious]

For a 9 year old these days reading the password off a post-t would be a skill.

Bump him up a grade, say I. And offer him a job.

Re:More likely,

This happened to my younger brother when he was in junior high (10 years ago).

He had a relatively good understanding of computers at the time, and decided to go to 'right-click, explore' on the start button and found out a number of network mapped drives.

He clicked on a few, and a password box poped up. He typed in "admin" and "admin" for both user and password. He looked around and found some interesting documents pertaining to school administrative officials. Before he was able to read them, the teacher came by and caught him.

They sent him to the principal's office and called my Mom. They said they were going to charge him with "hacking" and theft, unauthorized access, criminal mischief, etc.

My mom freaked out and called me. I set up an appointment with the principal to see what he had actually done. They called in their network administrator and superintendent and all 5 of us had a meeting.

After they had told me exactly what he had done, I mentioned their security must have been lax enough that anyone could access it, even by mistake. We agreed he probably didn't know what he was looking for, if anything.

The network administrator, not content to be outshone after we had all agreed to dismiss it and give my brother a suspension, decided he wanted to prove to me it was secure.

He showed me the firewall. So I showed them all how the network admin had the default user and password still set.

I wish I could say he got fired, but no. He still works there. They just required him to get more training. He's not so bad now.

Re:More likely,

[Tolkien]

The trick see, is to use child-safe pill-bottle caps on everything, including computer security-measures. Think of the children, people!

Re:More likely,

[shogun]

Agreed, noone starts programming w/o ever seeing someone elses code.

I suspect Ada Lovelace may disagree with you on that one.

Re:More likely,

[poena.dare]

It's Blackboard Learning System (BLS) - many schools use it. Chances are he did it through URL manipulation. I tried to get my son the hack it but he refused. He said, "I don wanna know about web sites and stuff and then end up haffin to fix Mom's computer like you, Pop." Broke my heart. :(

Re:More likely,

[TougaSempai]

or be sentenced for life to use Access

Oh, come on -- it couldn't be THAT bad.

Re:More likely,

[Kozz]

Even more likely: Had security been adequate to keep out a determined nine-year-old, it also would have completely stymied the teachers and administrators.

I would guess that stupid security is sufficient. I know of an instance back in 1990 (*cough* ahem, excuse me) where students had access to computers in a library. Those computers also had enrollment/administration software installed on them. The username guessed was "teacher", and the password guessed was "westhigh" (for [cityname] West High School). It seems the student only guessed perhaps a half dozen times before access was granted.

Re:More likely,

[jackchance]

When i was 9 i was doing BASIC programming on my Commodore 64!

Re:More likely,

[Jeng]

Or an easy to guess password.

It was funny in typing class I got into the teachers account by typing (name of vice-principle)isanasshole. Like which student isn't going to randomly type that in?

Re:More likely,

[Hatta]

Your six year old is more computer literate than most people.

Re:More likely,

[RobDude]

Nobody cares - but here is my evil 'hacker' story.

When I was in high school, I was kicked out of my programming class, along with five other of my friends. We were marched down to the principal's office. I was given the title of 'ring-leader'. It was interesting stuff. Apparently, I was an evil hacker.

At first, I was like, 'Don't worry guys' because, after all, I didn't do anything bad. I did some cool stuff - like a program to change the desktop resolution, so I could write code in 1024xwhatever instead of 800x600. We'd also enabled sharing of our network drive so that we could work on our class stuff from anywhere in the building (which meant I could do homework in the library).

When I was in the room with the principal, she asked me to explain what increasing the resolution did, exactly. I tried my best, I told her....'Well, ummm....it means there are more pixels on the screen than you'd have otherwise....and it....ummm....gives you more space.'

She paused....and said.....'So, you mean to tell me, you were able to see parts of the screen you weren't supposed to? Did you ever think that maybe there was a reason those parts of the screen were hidden!'

I'm not joking. I'm not exaggerating. And at that point, I was basically forbidden to speak. Her mind was made up, my fate was sealed.

I thought it was a pretty good explanation from a 16 year old kid who didn't really know jack and who was fairly nervous at the time.

I was threated with expulsion from my school, kept out of class, given an F in my programming class (prior to this, I had an A+ and would literally go around and help other kids, the same as the teacher would. I'd spend hours in the library making my program do things far beyond the scope of the assignment. I was a great student).

Eventually, after much drama, it was decided that I could remain in my school - but that I couldn't touch any school computers for the rest of my high school years. That's to say, for the entirety of my senior year, if I was in English class and we were supposed to type a paper - I had to sit there and not touch a computer.

The stupidity is overwhelming to the point where it seems unfathomable.

I still don't know what trigged it all. The things I did, I had permissions and access to do - so I don't see how that really fits as hacking. We had an idiot running the school, and apparently, an idiot running the IT department. I'm guessing that nothing was locked down and someone did something actually malicious and they looked and saw that, OMG, some kids are working on their homework in the library via their network drive! And so, we (and more specifically, I) became the target of their rage.

Schaumburg High School/Sharon Cross - you suck.

Re:More likely,

[Minwee]

The implication of the article is that there was actual technical skill of some kind involved.

And since the system affected was Blackboard, that rules out the possibility of it being an inside job.

Re:More likely,

[RobDude]

In my experience - this.

I don't know why schools are this giant black hole of suck - but they are. My school was very well-to-do, and had some of the highest paid teachers in the country. I don't know why they could find an IT guy who could follow industry accepted best practices.

If you can't stop a curious, bored, student - who really doesn't know jack; you have no business working in IT.

I love how everyone wants to attack the kids in these school + computer security cases. Nobody ever wants to talk about the trained 'professional' whose job is to prevent these things - getting schooled (haha) by a kid.

Instead of kicking the kid out of school - why not fire the IT guy, get a real IT guy, and then, let the kid (who will proudly offer it up) show the new IT guy what he did. The new IT guy will shake his head and go, 'Yeah - that should be locked down'.

Re:More likely,

[Minwee]

Oh, come on -- it couldn't be THAT bad.

Oh, yes, Access certainly is bad enough to be compared to Blackboard.

Re:More likely,

[517714]

Fairfax County, Va. has one of the best school systems in the country. They didn't rely on computer amateurs thirty-five years ago when I attended school there, and they don't today.

I have no issue with your first statement though; other than the word "determined" could have been left out.

Re:More likely,

[tsm_sf]

Some dumb teacher probably just left their admin password laying around on a post-it note[...]

The password was "pencil".

Re:More likely,

[ooshna]

And you had to walk uphill both ways to school with 5 1/2 floppys tied to your feet because you couldn't afford shoes. We know Grandpa we know.

Re:More likely,

[fuzzyfuzzyfungus]

She has a stronger claim than most; but not entirely ironclad...

Re:More likely,

[Minwee]

you can expect the price to be tailored to your individual institution, or in other words, likely several hundred dollars at least, probably in the thousands.

I think you missed "Per student" and "annually" at the end of that.

The typical customer licensing the works will pay $160,000 - per year. Even small victims are being bled for upwards of $50,000 every year just for the joy of being permitted to use Blackboard.

Blackboard doesn't sell to teachers or even individual schools, they target entire districts and school boards, aiming high enough up in the organization to be sure that nobody they meet will ever have to use their product, or have any idea of what Moodle is.

Re:More likely,

[AngryNick]

As my 8 and 12 year old daughters have explained it to me, it is more likely that Junior guessed the username/password for a few key accounts and leapfrogged up the food chain from there. The student accounts in the lower grades are generally based on the student's id and a formula driven password that any 2nd grader could figure out. More cracking that hacking.

This is just one more thing to add to my list of worries for my girls:

• Getting knocked up
• Locking me out of their Linux machines
• Going to jail for hacking blackboard

Re:More likely,

[shawn(at)fsu]

Damn it people at least read the summary. It was some hack of the Blackboard learning system. Meaning it isn't something some teach set up in their spare time. It's a company product that the school uses. RTF summary before you go of on you're wild speculations.

Blackboard's main website in case you are living in a cave In anycase it's obvious this isn't some crappy side project of some teacher.

Re:More likely,

[nottheusualsuspect]

where's the +1 oh-man-that-sucks-and-I-feel-your-pain (otherwise known as daaaaaaaaaaaang) ?

Re:More likely,

[g0bshiTe]

5 1/2 floppies my ass, it was punch cards I'll wager.

Re:More likely,

[DarthVain]

Since when do they teach reading in school?

I envision the monkey computer scene from Zoolander as more likely.

Re:More likely,

I don't know why schools are this giant black hole of suck

Multiple reasons. First off, schools don't pay shit. If you have the skills to do IT for public K-12 schools then you have the skills to get a far better job in the corporate world. And secondly, schools are horrible places to work. I worked in IT from 1996 through to the summer of 2009. During that time I had a couple of short stints where I worked IT in two separate K-12 school districts and they were easily the worst jobs that I have had in my entire life. In one of the places I was something like the twelfth IT director that they had hired in the past few years. The turnover rate was approximately one per every eight weeks. It sucked that bad.

IT in schools sucks because nobody with any skill is willing to do it. It is shitty work, you are treated horribly and you are paid poorly.

Re:More likely,

[Beardo+the+Bearded]

I've got a six-year-old girl, and the only one that I'm worried about is #1. If that happens before she's ready, then I have failed as a father.

#2 gets rewarded. "WTF did you do here? I've got physical access and you've locked me out. Let me order you some RAM and you can show me what you did." (She uses Puppy now.)

Long before #3 happens, there would be a legal and media shitstorm to keep her out of jail. We've got a family lawyer, and really, Blackboard, do you want Everyone to know that a teenager can easily bypass your security protocols?

She got one of her friends to give up their "webkins" password. It's really hard to tell her "that's wrong" when you're really thinking, "fucking AWESOME! High five and ice cream!"

Re:More likely,

[poena.dare]

"The schools found that the changes to passwords and course work were made from the same IP address. Police obtained a court order from Cox Communications to track down the original computer and then targeted a home in McLean."

The only thing preventing this kid from being offered a high-paying IT job was the fact that he didn't have the foresight to use a public library computer.

Geeze, 9 year olds, when will they ever learn?

Re:More likely,

[Beardo+the+Bearded]

I was programming BASIC on a CoCo2 when I was 8.

My six-year-old can use Linux and knows that passwords are never given out to anyone.

Re:More likely,

[The+Redwin]

What's a 5 1/2 Floppy? Pretty sure you either mean "3-1/2" or "5-1/4"... Amusingly though, the error nicely reinforces the main point of you're statement (that you're very young compared to him, and can't correctly remember floppy disk formats) :)

Re:More likely,

[chromas]

You kids today! They were 5¼" floppies, dagnabbit and we had to make them ourselves out of leaves—which we couldn't even afford—we had to steal those from the rich neighbors across town to which we had to walk in eight feet of snow, uphill backward both ways at the same time with the sun beating on our backs as the sand filled our eyes with not a trace of water visible for miles and constantly slipping on the ice, breaking our bones over and over—bones which were on loan from the charitable twelve-year-old boy next door.

Re:More likely,

[rjstanford]

And even after all that, we still had to use a holepuncher before we could flip it over. I don't know, kids today with their double side...

Huh? DVDs are single sided again? Hmm... lemme get my holepuncher back out...

Re:More likely,

[Dragonslicer]

Just to toss in a contradictory story, I actually had pretty good experiences in high school with our computers. The school's system administrator was also a math teacher, but she knew what she was doing (as far as I could tell, anyway). I played around with Pascal programs a lot, and I hit the system's disk quota pretty easily. This was in the mid 1990's, so quotas were on the order of a few MB for each student. When I told the teacher that I was having a problem, she pretty much said "Oh, that's easy to fix," and set my disk limit to something like 100 MB. It was definitely a huge benefit to have teachers with a clue.

Re:More likely,

[Anitech]

Except that "professional" IT people have to deal with company polictics. If the higher ups decide that your sugested security fixes will interfere with their abiltity to only remember one password, what can you do? Just document that you were denied and start looking for another job. You can't always just blame the IT guy when budgets and politics are deemed more important. Though management will anyways.

Re:More likely,

[iamhassi]

"Let's not make excuses for the fact that Blackboard SUCKS in every conceivable way, as it has since schools first started using it."

The problem is the system has to be easy enough for your average teacher to use it but hard enough a child can't hack it.

That's probably very difficult to do. I'd imagine this "hack" was easier than they're willing to admit, let's not forget this 9 yr old just recently learned how to read most the content required to even start hacking.

But let's play devil's advocate, let's assume this is a super genius kid, that he's been reading since 3, coding at 5 and is now at a college level, that would explain how he figured how to do a real hack, but then wouldn't Blackboard and the school report that? Because as the article reads he's just a "very intelligent 9-year-old". Yeah, so is every 3rd grader now days, but that won't help sell Blackboard systems, couldn't you Doogie Howser up the kid a bit more? Perfect SAT score at 6 would certainly make me feel like this could never happen again. So this kid was not a genius, this had to be a easy hack.

Makes me feel very safe about my info at my old university that has switched to blackboard.

Re:More likely,

[RobDude]

The funny thing about it was that; right up until it happened - I really liked the class, the teacher and thought highly of my school.

But yeah - it is good to know that others have had better experiences than I did.

Re:More likely,

[fuzzyfuzzyfungus]

I've done some school IT work.

Here's my experience: The pay is pretty unexciting; but the pressure is correspondingly low. Corp pays better; but teachers are so much nicer to deal with(obviously teachers aren't 100% angels, and corporate isn't 100% nutjobs; but the difference between working in a place where the average response is "Hey, thanks a lot for fixing that!" and one where the average hovers around "OK" or "Well, why wasn't it done yesterday? I have things that need to get done!" makes a fair difference in one's state of mind at the end of the day). Because the pay isn't so exciting, you don't get many of your truly driven types; but because the conditions are OK, you do get better help than you would expect.

The real kicker, security wise, in my experience is the demand for ease-of-use and heavy use of various ghastly legacy software(stuff that shipped with textbooks and whatnot). I spent a lot of time grovelling through psmon traces, trying to get crap to run under limited accounts with as few security-compromising modifications as possible. Still, sometimes, you just had to do gross stuff to make it work.

The ease of use thing caused some limitations as well. Yeah, we knew that kids were bringing in crap on flash drives. Could we have stopped that trivially? Sure. No big deal. Except the shitstorm that would break out when all the faculty and students who shuttle work to and from school on flash drives learn what they can no longer do. Internet filtering was in the same bucket. Yeah, we have a firewall and a proxy, we can be as draconian as you like. Wait, so you don't actually want draconian? Ok. Yup, we knew that we could use Software Restriction policies, make sure that the set of locations that users can write to/mount from external media and set of places from which the system will execute binaries are disjoint, all that stuff. No problem. We could even set it so that ain't nothing gonna run unless the IT department has signed the binaries with their own private key. Guess what? The users, and Admin, would have had our heads. Teachers shoving in CDs from various textbooks and expecting the (usually Macromedia director based) content to Autoplay was a daily use case, among numerous others.

Then you get into the issue of legacy server software. Just as "enterprise" can be used as a epithet when describing software quality, and most enterprises of decent size have some real horrors lurking at the dark heart of their IT-assisted business processes, so does education. Bespoke crap, student information databases that were designed by people who thought that Windows 3.1 was too visually elegant and user-friendly, and that SQL was something that happened to other people, that sort of thing.

I don't intend this as a general apology for the state of educational IT, some of it is incompetence driven; but, a lot of it is pretty much like corporate IT, just with less money(and corporate IT has a few security issues of its own.) The same basic dynamics are in place. Some incompetence, some crap legacy software that you can't get rid of for organizational reasons, some security measures that are possible; but would cost too much or upset too many legitimate users, and so forth...

Re:More likely,

[RobDude]

Fair enough - that was an awesome post.

I won't lie, I'm still bitter about my own personal experience in high school (nearly 10 years ago now, wow). But yeah, I suppose I don't really paint the most fair picture of the situation.

And naturally, you hear about the problems, not the majority of places that don't have them.

Re:More likely,

[RobDude]

Fair enough. I won't lie, I'm pretty jaded from my experience. I kept waiting for someone sane and reasonable, who understood this stuff, to step in and say something like...

'Actually, the things this kid did were harmless and he was able to do them because we setup the accounts that way. Remember, we said it would take two weeks, but we had to get it done in a weekend and we were told to just make everyone admins? Well, yeah, so we setup his account as an admin and he did some harmless admin-type stuff. Maybe we shouldn't kick him out of class?'

But yeah - who knows.

Re:More likely,

A very similar thing happened to me at my high school. I took advantage of the schools lack of proper security, and the Luddite in charge of the network made up stuff about what I did and tried to press charges. Eventually it was all dropped and I enjoyed a week long vacation from school. The problem is that most schools just put someone in charge of their computers regardless of whether or not they acctually know anything.

Re:More likely,

[fuzzyfuzzyfungus]

Oh, I've heard some real horror stories from colleagues who have worked in other districts. It sounds like there is some seriously mismanaged crap going on out there, horrible churn, completely unclear mission, near-nonexistent resources(obviously, schools don't need the newest and shiniest; but if admins are being forced to use their personal vehicles to drive from building to building because the "IT Director" won't approve any sort of remote management tools, or make even basic efforts in the direction of maintaining decent network uptime, that just doesn't make sense).

My personal experience, though, has been pretty benign. Some sub-optimal stuff(some of which I was able to get fixed, some not); but mostly the same dynamics you'll see in IT anywhere, just with a somewhat longer replacement cycle, lots of customish apps, and fewer 50k SANs.

Re:More likely,

[operagost]

There's already a hole in the middle of a DVD, gramps! Whadda ya gonna do, punch another hole and call it a Blu-hair ray disk?

Re:More likely,

[phorm]

Just to clarify something. Curious, bored students might not have a lot of experience, but they probably do have a whole lot of time...

Re:More likely,

[RanCossack]

I had a similar yet oh-so-different experience in elementary school; I was less innocent to begin with, having found out the school was keeping test scores on a shared network drive with no password while I was trying to do something I vaguely recall had to do with getting a bomberman clone running.

I told a teacher and happily went on my way; a few days later, the principal, a very friendly and well liked guy, called me to his office and nicely asked me not to browse the network shares on the school computers; it wasn't until years and years later that I found out what had almost happened to me.

Years and years later, I found out from my parents that the school IT adminstrator had wanted to press criminal charges against me, expel me, and all that, and had convinced the board to go along with it. The school principle refused to do it and threatened to resign.

Now, after college and after years of hearing all these horror stories from friends and reading about them online, I appreciate what an amazing principal my school had, and how lucky I was.

Re:More likely,

[insufflate10mg]

What languages did the class program in?

Re:More likely,

[dominious]

Dear 3 digit UID /.er, we were talking about THIS century...

I'm getting off your lawn

Re:More likely,

[Ltap]

These little stories make me wonder - why didn't you appeal? Also, that feels far too extreme. The school could have the power to suspend/expel you, but not to alter your mark.

The trouble I see is that most people think that schools principals have no superior, when it's possible (although hidden and heavily discouraged by schools, obviously) to appeal just about anything and complain up to the highest level. This was done with a bad math mark on one of my exams (which the teacher, who disliked me, thought I wouldn't check after I noticed that it affected my final overall average) - the school refused to do anything, and ultimately the director of education for the district awarded me the lost marks after I had independent verification from a university math prof.

If I had to sum up my story, it'd probably be "schools suck, but they are not immune to being smacked around like a bitch if you can find someone to help you."

Re:More likely,

[rcamans]

Actually, the kid probably just guessed someone's password. So the only way the IT guy could have prevented it would have been to enforce strict hard passwords. easy enough to do.

Re:More likely,

[RobDude]

I graduated back in 01 - this happened during my junior year so 2000.

The school had two computer programming classes - AP Computer Science which was taught in C++ and an 'Intro to Computer Programming' class that was in VB6. At least, I'm pretty sure it was VB6, I know it wasn't .Net and I think it was too late for VB5.

I'd taken the AP Computer Programming class the year before, and wanted to take the Intro class because I thought it would be fun.

It fell onto the Math department to teach the computer classes and, if I remember correctly, it was only the second year of the Intro class and the teacher I had was a very competent math teacher - but seemed a bit out of place behind a computer. Regardless, he was a nice enough guy.

Overall, it seemed pretty sweet. The computers we had were pretty modern and, from what I understand, a lot of schools didn't offer any programming classes.

Re:More likely,

[TangoMargarine]

Now THIS is the kind of comment I read Slashdot for! Bravo :-)

Oh yeah, and, um, sorry. About your story.

I have a story too, but it's one somebody else told me. But oh well:

Back when this guy was in high school (~4 years ago I guess), somebody decided that it would be fun if he could set up a chat program for the students. So he codes up a simple program that writes lines of text to a file on the hard drive.

So far, so good. Now anybody who has a copy of the program can chat with everybody else. But for one reason or another, he made it so the program would, whenever ran, copy itself:

1. If not present on the C: drive, from the network to C:
2. If not on the network drive, from C: to network

Unfortunately, this triggered a little-known warning bell in the campus antivirus software. The first copy would go fine, but when it tried to write the file back to where it had come from, the antivirus program would permanently lock the user account. Not even the admins could reset it; they had to make new user accounts.

And since it copied itself from C: to the user's personal network partition, it in effect spread itself to a new user account each time someone new logged on. So before long, there were people who were starting to complain about getting locked out of their account.

Well, since this was an underground chat program to begin with, pretty much all the computer nerds got locked out of their accounts in a matter of hours. Eventually they had to go help the IT guys disable the program because IT couldn't fix it on their own. In the end, like a quarter of the students needed new user accounts.

PS: I got this story secondhand, so I'm sure it doesn't make sense in places. The guy I heard it from couldn't remember all the details either.

Re:More likely,

[dkf]

Let's not make excuses for the fact that Blackboard SUCKS in every conceivable way

There are ways it sucks that you've not conceived of. We have the enterprise grade version of Blackboard at work, specially hosted in The Cloud. The only people who don't hate it wholesale seem to be one department (CS, who resolutely stick to Moodle) and the head of IT who believes it is wonderful. Probably because Gartner says it is. I'm just glad that it is not something I ever need to touch personally.

Re:More likely,

[starfarer42]

When *I* was in high school, myself and four or five of the top students had access to the full Windows 3.1 shell interface instead of the very restrictive toy shell the other students were forced to use. No hacking was necessary -- the teacher set it up for us. We even had his admin password so we could fix problems for other students.

I think the teacher was a bit overwhelmed by the school's new-fangled Pentium computers and appreciated the help. Actually, I think between us, we students probably did most of the network administration tasks he was supposed to do. None of us abused the privilege and nobody ever got accused of hacking.

Re:More likely,

[egcagrac0]

Handle

Effort

Points

Double

Pencil

It's a pretty short dictionary attack.

Joshua, CPE1704TKS, etc.

Re:More likely,

[Bigjeff5]

I know a chemist for a local university, and from what he tells me their IT is pretty much pure crap. The universities are structured to be very competitive between departments so cooperation is very uncommon. The culture is such that if you don't have a PH.D. you aren't worth much, and of course nobody in IT has a PH.D. so they are at the very bottom of the University food chain.

This means they don't get paid as much as their corporate counterparts, and there is not as much immediate pressure from anyone to get your work done. This draws in the least talented, laziest and least competent IT staff possible, and the results are obvious. I am constantly flabbergasted by my chemist friend's dealings with the University IT department, and I can't understand it for such a small environment. It's nothing short of amazing.

And have you ever tried to fire someone at a University? They don't fire anybody, there isn't any real oversight at the top, just a pool of sharks who couldn't care less about computers. Hell, the university still has Computer Science classes given in a lecture hall on pen and paper! That's just ridiculous!

Re:More likely,

[RobDude]

It did end up getting escalated to the district superintendents who ultimately decided upon the punishment.

By the time they told us what it would be, I just wanted it all to be over, so I didn't much care. They didn't say they were going to give us F's - they just said that we'd be unable to return to the class and we'd receive 0s for everything we missed. And that, in the future, we'd be unable to use any of the school's computer equipment for any reason.

I honestly figured I'd *still* get an A - the class was almost over and I had a ton of extra credit. Maybe a B. And, I'd taken all the Computer classes the school offered - so it wasn't really much of a punishment at all.

When I got my report card though - it was an F. Mathematically, there is no way it would have worked out like that; but it was the summer and my GPA wasn't anything special. I'd received an A in the AP Computer Science class, scored a 4 on the AP test (as a sophomore) - but received an F in the Intro to Programming class. Despite having done excellent on all the assignments and despite having received lots and lots of extra credit. Some adult, some professional educator who was well paid by tax payer dollars, was angry and decided to give me an F.

My parents wanted to raise hell down at the district over it - but it didn't bother me and, being perfectly honest, I just wanted to be done with the whole mess. So, at my request, they dropped it.

I went through my senior year avoiding the math department, the principal, and all of the computers. It sucked. But, on the plus side, I became somewhat infamous; and pretty much everyone except my closest friends were convinced I'd done something much cooler - like hacked into the grading system or something.

Re:More likely,

[RobDude]

That's really what bothers me most about the whole thing - none of it had to go down like that.

Even if I wasn't supposed to have admin access or whatever it was that I did (I still really don't know what it was that set them off) had they just said, 'RobDude - don't do that'. I wouldn't. Even if I could, even if it wasn't locked down - that's all it would have taken.

"RobDude, I see you shared your drive; can you not do that? We don't want anyone to copy your assignments"

And I'd have been like, 'Sure thing!'.

Re:More likely,

[Bigjeff5]

I have a chemist friend who works at a University, and he has to build his own computers and upgrade his own machines because the IT department won't. Not for any good reason either, it's University equipment, doing University research, but all the IT department seems to be good for is randomly deleting his email, disabling his internet connection, and shutting down his servers. They have to be his servers, of course, because IT won't support them, god only knows why.

The University pays bottom dollar for IT because they don't care about IT. They care about PH.D.'s and professorships and power-grabs, so for people who depend on the IT stuff to work right, they pretty much have to be their own admin. That's why teachers insist on being able to install their own software, manage their own switches, etc. Because if they actually relied on the IT department to do that they could be dead in the water for weeks, if not longer.

Re:More likely,

[retchdog]

Even worse, a hoity-toity tenured professor will raise hell if finds out he makes less than any "computer janitor," even a senior one.

Re:More likely,

[fuzzyfuzzyfungus]

Unfortunately, Blackboard is crap of such epic proportions that it has taken being the primary focus of a corporation of nontrivial size to get it that way.

No mere teacher could possibly have done something so terrible in their spare time, even with access to Access.

Re:More likely,

[im_thatoneguy]

I got in trouble for this in gradeschool. Our system admin was incompetent and useless. All of our nice at the time large 17" and 19" monitors were running at 640x480. We asked repeatedly for him to change it but the only action I ever saw him take was to show up and reinstall windows.

Breaking his password was easier than guessing it. Instead of using a unified login system he had Novell and a local roaming profile. He put a password on his local roaming profile which was identical to his network admin password. So it was just a case of opening the .pwd file for which there are numerous easily googlable apps to brute force. In fact I'm pretty certain there is even a utility built into windows to open it.

Admittedly we caused a little more havoc than just changing the resolution, we also played pranks on other students by taking over their computers while in Word and pretending to be an Artificial Intelligence.

Unfortunately for us when we were caught we just had gotten a new principle who was in his 70s and didn't know anything about computers so the SysAdmin portrayed us as the manifestations of the antichrist. Looking back on it we should have stood up for ourselves, but we were in gradeschool, what can you do when your authority figures are all saying they're going to call the FBI and prosecute you for a felony unless you agree to everything they say. Looking back on it the school probably broke a dozen more laws than we did in their handling of the situation. We agreed to 40 hours of volunteering around the school each. And after all that, all the teachers still called on us instead of the IT guy to help fix things. Yeah, no bitterness.

By the way, his password was his first name followed by two numbers (13). I don't know if I could think of a password which is easier to brute force.

Re:More likely,

[bragr]

If blackboard allows you to do that. As previously stated Blackboard is a convoluted beast. The IT at my uni is pretty competent, and most things have password complexity requirements, but not for blackboard, which makes me speculate that it doesn't support that. Sure you could tack something on in the password change field, but this is a school we are talking about, think limited time, limited budget, and a lot of fires to put out.

Re:More likely,

[dingram17]

I did part time computer support for the computer classroom at the high school I went to (yes this was awhile ago, and the computers were BBC Model Bs or BBC Master Compacts) while I was at university.

I was told that I was offered the position because I had been one of the chief troublemakers when I was a pupil and I'd kept my predecessor on his toes and so it was thought that I'd be able to keep things in order :-) The previous guy (also a David) went on to work for a small company in the UK called ARM and designed a processor that could work with 16b and 32b instructions (US Patent 5740461) -- the 'Thumb', which is the T in ARM7TDMI.

I'm glad that I had such a good 'adversary' to go head to head with :-)

Working with the classroom computers helped when I applied for a more general PC admin role at a school closer to the university. Running a Novel network was quite a different experience, esp. when the 'standard' computer of the day was a 486DX-33 and the school was running discless XTs @ 8MHz.

Re:More likely,

[dannys42]

Not only do you have legacy software. You may have up-to-date crappy software. Blackboard is definitely one of those pieces of software I'd rather stay away from.

Re:More likely,

[zach_the_lizard]

I have to agree with the fact that there will be at least one machine, somewhere, that has admin access, and with admin access in a public school you can do some pretty scary things because of the massive numbers of old software.

Re:More likely,

[digitalunity]

In my high school it was even easier than this. They had the environment almost entirely locked down with one exception. Defrag was launched on a schedule.

This of course ran with SYSTEM privileges. Once you've got any MMC panel open with privileges, you're just a few clicks away from local admin rights. Then you can do whatever you want.

Re:More likely,

[yashachan]

At my college, even if you manage your own server, IT can still cause serious issues. One of my professors set up a class wiki on the software engineering server (which, as far as I know, is maintained by various professors) and IT was fucking up our access every day. Sometimes no-one could access it, sometimes only people on campus could access it, sometimes they'd change its supposedly static IP without notification, sometimes we had to directly use the IP (if it was the same as the day before...) to access it...

My school's IT also managed to destroy another professors laptop while installing Visual Studio (we're still trying to figure out why a professor who teaches software engineering classes needed IT to install Visual Studio).

Re:More likely,

[yashachan]

AD/Exchange allows such restrictions, and my college has us set our passwords through AD, and then we use them for all campus systems (PeopleSoft, BlackBoard, the webserver, AD, Exchange). I mean, aside from the insecurity of using the same password for so many systems, it does get around BlackBoard not allowing such restrictions to be set.

Re:More likely,

[yashachan]

Hell, the university still has Computer Science classes given in a lecture hall on pen and paper! That's just ridiculous!

What's ridiculous about that? All of my software engineering courses had their lectures done in a lecture hall/computer-less classroom (except for a 400-level class in UI development/design). The intro course had a lab period once a week. The two intro CS courses are structured the same. The CS/EE networks courses are structured the same (400-level courses). I've had one 300-level CS course taught solely in a computer-less classroom, and another that was supposed to only happen in a computer-less classroom (by student vote, it was moved to the CS lab, mostly so people could fuck around online during lecture). My college is considered one of the "most wired" (whatever that actually means) colleges in the US, so it's not like we don't have the appropriate resources. I actually prefer, and have done better in, the classes that were not done solely in a computer lab.

Re:More likely,

[Ltap]

I would have escalated it farther. Schools must have been particularly bad in your area; in mine, people at the district level generally have advisors for that kind of stuff.
I'd understand why you'd be tired of it, though, although I would have kept fighting for the sake of it.

Re:More likely,

[similar_name]

If only I had mod points

Re:More likely,

[toadlife]

I've been a Blackboard admin for about seven years now.

The current version of Blackboard is 100% tomcat/jsp. It used to be an ugly combo of perl and tomcat years ago, and I think it used to be just perl a long, long time ago. I have no idea where you're getting php/mysql/access stuff from. Blackboard runs on Windows and Solaris and the databases it supports are SQL server and Oracle. xml files are used for internal configuration files, though usually the files that admins are meant to edit and standard unix-style text-based config files.

The 80 steps to install thing has some truth to it. The install documentation (and the documentation in general) sucks ass and important steps tend to be described badly or left out completely. When things go right (i.e. once you've learned which parts of the documentation are wrong), installation can be a fairly smooth ordeal.

It's equally unreliable on both Windows and Solaris, with Tomcat being the reason. No version of Tomcat I've ever seen has never been able to withstand heavy load for long periods of time without either leaking threads or memory, or both.

As for it's authentication, I know exactly how it works and don't see an obvious design flaws in it. Blackboard is just a big complicated app, which makes for a large surface area to attack.

I would bet this kid just stole the teacher's password.

Re:More likely,

[AvenNYC]

Back when I was in school they had windows 3.1 on the computers, and the 'file explorer' (I think that was the name) icon came up with a password when you tried to run it. I just asked a teacher indirectly about it (technology incompetent teacher) and they were like 'it's scholar or something.' No hacking required.

Re:More likely,

[Pteraspidomorphi]

When I was in high school, I made a small tool (I wouldn't even call it a trojan - it made no attempt to disguise itself) which ran on the background of the school's Windows computers and allowed me, while in class, to take and retrieve screenshots from any computer or open their cdrom drives remotely and other such funny stuff. I used it several times in front of the teacher, and he only found it amusing. He wasn't so amused when I extracted his admin password from one of those old insecure Windows password fields, but he just told me not to do it again. And it's not like the teacher was particularly skilled or the principal a very friendly person (she wasn't, and she didn't like me very much), but at least they were mentally sane. Note, however, that I'm not american. Maybe teachers over there have a higher degree of suppressed rage against their students. Or maybe I was just lucky to end up in that school.

Re:More likely,

[trapnest]

Oh man, I remember foolproof. I am so glad that I was considered "IT help" though most of HS or I should surely have gotten in a lot of trouble. Why are school librarians so afraid of black windows?

Re:More likely,

[del_diablo]

I agree mostly with all points.
Teachers assume kids are stupid, and they should enforce disiplin instead of avoiding to fix problems........... Quite sad.

Re:More likely,

[Emperor+Cezar]

I came here to suggest this. There is always one teacher I wished to write a letter to. Not as big a deal as yours, but same principle. Teachers are fallible, but they need reminded of that. Some think they are not.

Being young, their decisions can have a lasting impact on some.

Re:More likely,

[obscuro]

9 years old is old enough to know quite a bit. When I was 9 (a loong time ago) I was building little electronic project like sequenced LEDs.... You got a book, got the stuff, followed some directions, did some trouble shooting.... That's a thousand times easier with network administration and the Google. There a plenty of things that would actually be pretty hard to fight against. How easy would it be for the kid to get local access to a server?

Re:More likely,

[Renraku]

I sent a message using Netware to a friend of mine in another room, thinking it would pop up on his screen like it did to the people in my room. It should have, but nope, it crashed the misconfigured network in the other room, causing their 1 minute typing tests to all abort. I get to explain to the principal for 3 hours what happened and why it happened before they got the IT guy in the room who laughed and thanked me for pointing out that a certain room had a bad router.

They were ready to kick me out of school and F out all my grades and rape my family and kill my cat because how dare a student expect the system to do something that it had been setup to do. They reinstated my computer rights after several of my teachers complained that it takes IT way too long to respond to their problems when I can just fix it right there in class in about two minutes.

Just remember. Schools are used to being all powerful. They don't like it when someone knows more about something than they do. It's a direct threat to their power/manhood/gumption/etc.

Re:More likely,

[hitmark]

sounds like a classic 80s story, back when hackers where the people that got the most minimal code to run the fastest, not the people grabbing other peoples credit card numbers for profit...

Re:More likely,

[dingram17]

Early-mid 90s actually :-) Hacking was still the goal of getting into systems that you weren't meant to, or doing things that you weren't meant to.

The BBCs had remote control capability (*REMOTE) and remote viewing (*VIEW) which were restricted applications, but there was the 'Advanced Econet programming manual' which documented the APIs. A copy of that was worth something :-)

We also discovered network sniffing by monitoring a certain memory location where the bytes on the Econet appeared. To capture traffic for an entire lunch hour required learning about paged memory access and efficient ways of storing data (just the user names and passwords used with *I AM). Yes we were up to no good, but we learnt a lot at the time. One thing the school did which was quite clever was to have physical access restrictions to the admin Novell network -- all of the PCs & 10Base2 outlets on that were in locked staff-only areas. Any 'playing' that pupils did was really only affecting each other (pranking) rather than doing anything really naughty. The admin PCs were discless terminals that booted through the LAN so were quite secure as well (that might have been tested when access was obtained once ...)

While the experimenting wasn't pure in intent, we did learn a lot and I have an appreciation for computer security now!

Re:More likely,

[tuxicle]

Why not use user groups, with only members of the staff user group allowed to access flash drives or run arbitrary unsigned software?

Re:More likely,

[Ihmhi]

The password for the city-wide administrative account on the Newark (NJ) School District's city-wide network (Total City Pop. ~280,000) was "123" circa 2001.

How do I know? I saw the head IT guy type it in right next to me.

HEAD IT GUY: *laughs* Did you see that?

ME: Yeah, dude, seriously? 123?

HEAD IT GUY: Heh, yeah. I don't really give a shit. If something gets effed up we can just restore from backups. Don't fuck with it, okay?

I made the (very stupid) mistake of telling one of my buddies the account details. I got pulled into the principal's office and suspended for 3 days. Why? In the two days since I learned the pass and subsequently (stupidly) leaked that info, no less than 30 individual terminals in my high school logged onto that account. There was tons of porn, warez, etc. I was asked about all kinds of shit and they basically thought I just loaded up the account with porn or something and was passing it around.

Obviously, I did something stupid and it was my fault. That aside, the head IT guy had the security practices of a retired grandmother running Windows ME with no antivirus.

But yeah, from my experience - at least with that one person - school IT admins are pretty damn incompetent.

Re:More likely,

[Ihmhi]

Your posts here have helped me come to a few realizations.

1) I was right in giving up on any serious kind of IT career. I don't want to have a stomach ulcer by 35.

2) I feel better about going towards being a teacher.

3) When I do become a teacher, be sure to treat the IT dude to lunch if he ever stops by, and be really nice to him - if only because of all the shit he has to deal with, but also because I especially like to be nice and helpful to the people who get little in the way of respect.

Thank you kindly.

Re:More likely,

[Ihmhi]

I see one of three things happening here in regards to your post:

1) The school is running on old Blackboard software (a likely possibility - "Why upgrade when we already have it? It works fine!").

2) The kid really did just see a password carelessly left around or a program carelessly left open, and they're using cracking as a bullshit excuse.

3) You have some sort of interest in Blackboard, either as a shareholder, company employee, or "professional reviewer"., and you're astroturfing.

After all these years of trudging through reviews of software/hardware/etc., I tend to take the majority of what you said with several million grains of salt. In my defense, your post also fits a common astroturf modus operandi: concede a few (small and unimportant) negative points - many of which are not directly related to the software itself (poor documentation, underlying technology (TomCat) has its weaknessess) and write a largely glowing defense of the product otherwise.

Re:More likely,

[toadlife]

You are right on #1 and #2.

As for #3, I did not expect that!

I could have gone on further about why I dislike Blackboard (both the software and the company, which is a patent troll). I was just responding to the GP whose facts about Blackboard's architecture were way off.

Re:More likely,

[socceroos]

I heard it was 123456

Re:More likely,

[Ihmhi]

If I see what looks like astroturfing I prefer to call it out and apologize later if I'm wrong. The whole practice is just filthy and dishonest IMO.

If a product can't stand on its own accord, then one should hire better programmers/manufacturers/etc. and less marketing people. A quality product with a modest advertising budget will sell itself and ultimately save the company tons of money in customer support, lawsuits, and general ill will.

As stated and promised: my apologies to you, sir.

Incidentally, anything I should be looking out for or worrying about as a prospective teacher if I am ever to be on the "user" end of any Blackboard software?

Re:More likely,

[Tregelen]

I was IT support for a High School for a number of years and we ended up moving as much away from Blackboard as possible. We ran our own web and email servers etc and things were much more secure than the Blackboard system. Never had a single student gain access to areas that they shouldn't have and everything ran smoothly. I went back last year, 3 years after I had left and they had moved back to Blackboard since no one was qualified enough to maintain the systems themselves and had been breached over 20 times by students. And we are trusting our children's information to that kind of system?

Re:More likely,

[toadlife]

anything I should be looking out for or worrying about as a prospective teacher if I am ever to be on the "user" end of any Blackboard software?

Be ready for tons of annoying bugs that are not showstoppers, but can disrupt workflow and require workarounds. Prepare to live with those bugs for long periods of time as the average time from problem report to a fix can be many,many months, and fixes usually only come in the form of version upgrades, so even if there is a fix, it may be in the new version which your school doesn't want to install.

When those bugs finally do get fixed, remember them, because they a liable to come back in future versions. We've seen bugs disappear and reappear in later version many times.

Also, prepare for browser compatibility nightmares. Right now, the latest version of Blackboard makes heavy use of AJAX and has minor problems with all versions of Internet Explorer, which is a big headache since most schools standardize on IE. I had to push out custom settings to all of our computers after we rolled out the new version of Blackboard.

Also, get ready for random failures, of which, your IT department or Blackboard will have no explanation for, since tomcat puts out no useful logs. One of the failures that is known to happen is test sessions freezing. This causes students who are taking tests to get locked out and all of the questions they have yet to answer marked as wrong.

I would recommend joining a Blackboard user group or listserv such as the one hosted by Arizona State. You'll get more help from other users than from Blackboard, as Blackboard's support is and has always been horrid.

Finally, I would recommend joining whatever committee that made the decision to buy Blackboard and advocate that your school switch to Moodle, or Desire2learn.

Re:More likely,

[pcgabe]

Nobody cares about my story either AND no one will read it three days later, but here it is. We moved to a new school when I was in third grade, and they gave me a placement test to determine my English ability. It was Dick and Jane stuff, which I had never seen before (I read Watership Down when I was in Kindergarten. I had started reading at age 2). Needless to say, I scored perfectly, which the school could hardly believe. So they put me in the Advanced course, with the _other_ two gifted students in the school.

On the first day of Advanced, we went to the computer room where they had six PET computers. Our treat for being Advanced students was to get to type in a program in BASIC and run it. Since my family had had a Vic 20 for a couple years, and since the BASIC language is pretty much the same for both, I read the code and told the other two what would happen when we ran it.

Kicked. Out. And in record time, no doubt.

I was never allowed around the PET computers again.

*sigh*

In high school, they gave the IT duties to the volleyball coach (for real). I don't know how he ended up with the task, but he kept grabbing me out of sixth period (which was his free period, but I had Geology) so I could help him with computer problems. I flunked Geology. Good times. :-(

Re:More likely,

[Ihmhi]

Thanks a bunch! I hope that I'll luck out and never have to deal with Blackboard. ;_;

Re:More likely,

[Culture20]

I have a chemist friend who works at a University, and he has to build his own computers and upgrade his own machines because the IT department won't. Not for any good reason either, it's University equipment, doing University research, but all the IT department seems to be good for is randomly deleting his email, disabling his internet connection, and shutting down his servers. They have to be his servers, of course, because IT won't support them, god only knows why.

I know why; we used to do the same thing in corporate IT for developers (they didn't even get internet access), but it's far more common in an academic setting: Your chemist friend wanted root. He NEEDED it. It was precious to him. So IT said "okay, it's your box then, no support from us, but we'll disable its port on the switch if we detect funkiness like spamming, brute force ssh, or port sniffing everything else". And then he told you a story about how he's so abused by the evil IT where he works.
Sorry, I'm having a bad day (because of this very same BS).

Re:More likely,

[pharmnet]

Even more likely than that: Some teacher who "knew a lot about computers" set up the system in his/her spare time.

Believe it or not, that is how a lot of school systems "IT guys" get started. I knew a guy who was a coach/history teacher (even coaches have to teach at least one non-PE class) at a middle school. Out of the blue he was "promoted" to the IT dept because he, in his own words, "knew a lot about computers"...

Re:More likely,

[Canazza]

A Client of mine - who shall remain nameless - has some of the least computer literate people I've ever met. The head's username is their first name, and password is 'password' - I just shake my head and facepalm. It's open to obvious abuse and we have NO control over it (I'm a content developer, as opposed to a sysadmin). As for Blackboard itself, they use it, it's the most convolouted horrible hard to learn LMS I've ever had the misfortune to have to use. I had to go through about seven menus just to get to the upload screen, and it's got more vague and uncertain options spread all over the screen it looks closer to the dash of a Boeing 747 than a website.

Didn't see that one coming.

[migla]

Pleasantly surprised by the last part of the summary:

"But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker."

Didn't see that one coming. I thought I was in for a story of stupid teachers overreacting and a poor kid dealt with harshly.

Re:Didn't see that one coming.

[Fantastic+Lad]

No kidding!

That brightened my day considerably. Though in a perfectly sane world, the police would never have become involved in the first place.

-FL

Re:Didn't see that one coming.

[U8MyData]

Yeah, that was refreshing wasn't it? I thought for sure there was going to be a "chicken little" story how a kid hacked the schools system and is now a cyber "terrier" (I shan't type the real word). I also love how news stories leave out the important details like the system itself was vulnerable to compromise by a simple CTRL-C at the logon prompt that dropped the "hacker" off at the root console. Seriously, have you seen some of the crap that is out there?

Re:Didn't see that one coming.

[kainewynd2]

Though in a perfectly sane world, the police would never have become involved in the first place.

We takes what we can gets in this new world of uber-paranoia.

I know I'm happy with the result. In School Suspension not juvenile detention!

Holy piss... that made a rhyme. Huh...

Re:Didn't see that one coming.

[zero_out]

If I were the one in charge of making the decision about what to do with this child, I would let him go and be thankful to him. He exposed a serious problem, and did no harm. If a 9 year old can do it, then a 17 year old can, and would be much more likely to cause harm. It's better to discover this problem with no damage being done, and fix it, than not discover it until someone who really knows what they're doing hacks in and actually does something destructive.

Re:Didn't see that one coming.

[talz13]

allowing the school district to handle the half-grown hacker.

Oh, they still have plenty of time to overreact on him, just that the police won't be involved.

Re:Didn't see that one coming.

[coolsnowmen]

I'm thinking that it is a product of a CYA sue-happy society. No one wants to take responsibility and have it be there problem when it goes wrong, and probably, school officials didn't have the technical expertise to even tell if harm was/wasn't done.

Re:Didn't see that one coming.

[swanriversean]

seriously, shouldn't he have been tasered a few times, then beaten for good measure?

Re:Didn't see that one coming.

[digitalsushi]

That's because the weight of ripping on a 9 year old is still greater than the default entitlement to fly off the handle over any negative event. If he was 18 he should be in jail, 16 suspended, 12 juvenile school.. 9 is still too young to be a dbag towards the kid.. pretty close though

Re:Didn't see that one coming.

[SanityInAnarchy]

In a perfectly sane world, no one would be using Blackboard to begin with.

Re:Didn't see that one coming.

[clone53421]

Yup. Now if only we could have as much sanity when a 5-year-old brings a GI Joe soldier figurine with a miniature plastic gun.

Re:Didn't see that one coming.

[EvanED]

I also love how news stories leave out the important details like the system itself was vulnerable to compromise by a simple CTRL-C at the logon prompt that dropped the "hacker" off at the root console.

This case is different because it was a small kid, but in general I don't see much of a difference there.

If doing something malicious is easy to do, it doesn't make it any more malicious. Changing other people's passwords, course materials, and course enrollment certainly qualifies as malicious IMO.

Re:Didn't see that one coming.

[ArsonSmith]

The problem with sue happy America is that not taking responsibility means you are at fault. By calling the police you are taking responsibility and pushing liability to someone else.

Re:Didn't see that one coming.

[Fantastic+Lad]

you have a strange definition of a perfect world. the security of a schools computer system was compromised from a remote location, and you'd prefer to keep the police out of it? somehow they were to psychically know that the perpetrator was a 9 year old with minimal malicious intent and thus shouldn't bother to investigate?

Yeah, that's a fair cop on your part. I didn't read the article and assumed that the hack was done on school grounds and thus lay withing the boundaries and resources of the school admin staff to remedy through basic disciplinary measures.

Still. . . As others have pointed out, the Blackboard software sounds like a security hazard waiting to happen. A perfect world would presumably not invite such trouble. It's an interesting problem; when the school is accessible from home through the internet, how do you track student behavior without the need for calling on outside resources like the police, who presumably have better things to do?

-FL

Re:Didn't see that one coming.

[dasdrewid]

Seriously, major props to these guys. For every angry email that's gone to an over-reacting principal/super-intendent, these guys should get a nice one.

I mean, he "deleted coursework" and they decided it wasn't "serious damage"... I feel like 9/10 times, he'd be under arrest for just having logged in.

Too bad this kid doesn't live closer to Chicago, cause I'm pretty sure in about 7 years we'd be reading an AP report about a wrecked Ferrari and the greatest parade grand marshall ever...

Two words

[Jawn98685]

...come immediatley to mind as I RTFA, "Terry Childs". This kid, admittedly, commits a crime by breaking into the school's computer system. Childs, on the other hand, did arguably prevent harm by carrying out his duty to maintain the network's security, and he's the one in jail.
[shakes head]

Re:Two words

[nomadic]

Childs, on the other hand, did arguably prevent harm by carrying out his duty to maintain the network's security, and he's the one in jail.

Childs had a responsibility to follow the instructions of his supervisors. It was not up to him to define the scope of his own employment. Just another narcissist network admin with a god complex.

Re:Two words

[Elshifto]

Childs was following his employers policies by not giving out confidential passwords to unauthorized people (which includes supervisors) and protecting the integrity of the network he was employed to protect.

Re:Two words

[BobMcD]

Childs was following his employers policies by not giving out confidential passwords to unauthorized people (which includes supervisors)

Except that's cyclical, isn't it? Who authorizes the people and then tells the admin who made the list and who didn't? The supervisors, that's who.

Your boss is always in the loop, unless specifically directed otherwise by a more powerful boss.

Re:Two words

[Bigjeff5]

It's not cyclical, it's sound IT policy. You pick a guy who knows what he is doing, and put him in charge of IT. He comes up with a policy, senior management approves it, and it becomes IT law.

The people who make and have authority to change these policies are generally very far above the admin's direct supervisors. Generally several layers of management.

A practical example, I work for a large oil company (global, one of the 100 biggest companies in the world). Up until a year or so ago, all of the upper level management for the local business (CEO, COO, etc) had free access to the server room. Policy above their heads changed, and their access was revoked, along with any other personnel that did not have a need to regularly access the server room. These people can easily fire the guy who manages the server room, however that still won't gain them access. The approval must come from outside.

In the Childs case, it sounded to me like the supervisors wanted free access to the equipment, which was against management's IT policy. These people may well have the ability to fire him, but that does not mean he should violate policy and give them access. There is always someone who has the authority to get the information in these cases, his supervisors just weren't those somebodies.

Re:Two words

[nomadic]

I doubt very much that the supervisors weren't allowed to demand the passwords. Do you have a cite showing otherwise?

Policy above their heads changed, and their access was revoked, along with any other personnel that did not have a need to regularly access the server room.

A better analogy to the Childs case would be the same person or persons changing the policy in the first place deciding to change it back; and the stubborn sysadmin clinging to the old one.

Personally, I think Childs likely has OCPD.

Re:Two words

[zippthorne]

Childs had two courses of action which had the potential to land him in prison and no courses which were clearly free of that risk. He chose the option that protected the citizens' of San Fransisco's interest and, as a result of T'ing off the higher-ups, guaranteed the prison time.

But make no mistake, if those same administrators had been vindictive (and I fail to see any evidence that they weren't) and he had turned over the passwords the way they'd asked, he'd still be in prison for putting the computer system at risk and in violation of the terms of his contract which specified the conditions under which he was to reveal passwords.

Re:Two words

[nomadic]

Childs had two courses of action which had the potential to land him in prison

I guarantee you, handing over the passwords would not have landed him in prison.

Re:Two words

[AK+Marc]

I guarantee you, handing over the passwords would not have landed him in prison.

When you hold the position as the DA for San Francisco, then you're opinion will hold some weight. Until then, it's an equal chance that if he'd given them up the first time asked, and someone logged in and broke something, he'd still be in jail for hacking, since he violated security policy in giving the passwords to unauthorized personnel.

Re:Two words

[nomadic]

You haven't established that his supervisors were not supposed to have access to it, and that position is highly unlikely.

it's an equal chance

No, it's not. Holding the network hostage was likely to get him in jail. If he had given his passwords to his supervisor when they demanded it, and then someone broke into it, the chances of the DA bringing charges are so astronomically low as to be laughable. And they are nowhere near "equal."

What's his Slashdot name?

Just curious.

Re:What's his Slashdot name?

[biryokumaru]

I heard he was kdawson.

Re:What's his Slashdot name?

Real hackers don't do slashdot. This place is lame.

Re:What's his Slashdot name?

[spazdor]

CmdrTaco, obviously.

9-year-olds love tacos.

Re:What's his Slashdot name?

[BobMcD]

Real hackers don't do slashdot. This place is lame.

Masochist?

Re:What's his Slashdot name?

[al.caughey]

and his password is secret.... no really

Re:What's his Slashdot name?

[icannotthinkofaname]

My best guess is that his Slashdot name is probably "Anonymous Coward".

In reality

[mbone]

...so the police withdrew and are allowing the school district to handle the half-grown hacker.

Of course, that's just what they are telling the press. In reality, of course, the boy is being put in charge of a supersecret underground Government cybersecurity lab on a deserted island even as we speak.

Re:In reality

[Andorin]

Absolutely. Now the government can actually respond to any claims that their security is so bad, even a nine-year-old could hack their systems.

Google

[mightysw]

The words, hack (crack) blackboard, and see how many cases come up. That thing is an abomination of teaching software that, unfortunately, is used across the country. Let the kid off. He did something that everybody else has already done.

Re:Google

[Tregelen]

Not just the country its used around the world. It is used in Australia and New Zealand and possibly other countries as well.

Obvious solution

[dkleinsc]

Send this kid to study with Knuth immediately.

Re:Obvious solution

[LunarEffect]

I was thinking more along the lines of Little Bobby Tables.

I doubt the kid is the 2nd coming of Kevin Mitnick

[axl917]

It is more plausible that the school's Blackboard was mis-managed/mis-configured to allow access to areas it was not supposed to.

Bobby Tables strikes again!

[HaeMaker]

Doesn't seem plausible he hacked it, probably someone walked away from a machine while still logged in. Or this: http://xkcd.com/327/

Bad software

[gman003]

I've used the system he hacked into, Blackboard. It seriously sucks, has security holes a blind lemur could exploit, and is so hard-to-use many of the teachers refused to use it (at a tech school!). If the school kept using it, they deserved someone hacking it.

Blackboard - the biggest educational POS EVER

[Khyber]

I could hack that POS in my sleep, and have multiple times. The University of Redlands has some of the most incompetent IT administrators EVER - hack blackboard, get access to student accounts, surf the web on their network with not a goddamned one of them being the wiser, under an account that I could use to frame that person.

Doesn't help their wireless AP broadcasts into my apartment at such a high power level that it blocks out most of the other wireless APs when it's engaged. 5 bars on my router two feet away? As soon as a game starts up in their sports complex, I lose my router and I get a big fat UoR signal. I hack it EVERY SINGLE TIME and they're still not smart enough after several warnings to ditch blackboard and ResNet and find something more reliable.

Re:Blackboard - the biggest educational POS EVER

[BitHive]

This sounds like BS to me. If Blackboard was so bad, they would fail in the free marketplace and be put out of business. Since the value judgments of the free market are beyond reproach, the fact that Blackboard still exists and in fact is very expensive, means it is highly valuable and therefore good.

I suspect you are just a communist detractor with elitist opinions.

Re:Blackboard - the biggest educational POS EVER

[Khyber]

It can sound like BS to you but a third grader just fucking owned the system. Even AOL wasn't THAT easy.

Re:Blackboard - the biggest educational POS EVER

[ae1294]

This sounds like BS to me. If Blackboard was so bad, they would fail in the free marketplace and be put out of business. Since the value judgments of the free market are beyond reproach, the fact that Blackboard still exists and in fact is very expensive, means it is highly valuable and therefore good.

HAHAHA.. I really hope you're joking.

The Free market doesn't work like that when you inject blackjack and hookers into the equation. Do you really think that the teachers or IT staff for that mater get to decide what crapware is forced on them?

I guess you've never worked in government... Honestly I'd like to know where you do work?

Re:Blackboard - the biggest educational POS EVER

[gcatullus]

What is scary is that some people will read your comment literally, and they actually believe that.

Re:Blackboard - the biggest educational POS EVER

[FooAtWFU]

See, this is government work. The "free market" doesn't operate very effectively here.

(I've used it. Blackboard isn't total crap, but it is pretty bad.)

Re:Blackboard - the biggest educational POS EVER

[Minwee]

the fact that Blackboard still exists and in fact is very expensive, means it is highly valuable and therefore good.

Soooo... Which University do you make spending decisions at? Based on your comment I can narrow it down to a few hundred or so.

Re:Blackboard - the biggest educational POS EVER

[BobMcD]

Could be a POS, not commenting there. However:

1) You're admitting to a crime. Stop it. There is absolutely zero reason to do so unless you're desperate for the wrong kind of attention.

2) Try a distinct channel. Assuming 802.11b/g you have three viable options. Try Channels 1/6/11. These are the only ones that do not overlap. They can't be occupying all of these at the same time, at the power levels you're stating they are. Or, if they genuinely are doing so, call the FCC and I imagine it'll stop fairly soon.

Re:Blackboard - the biggest educational POS EVER

[i.r.id10t]

Kind of explains why they purchased WebCT (and then killed it off) and then purchased Angel last year (and will be killing it off). Can't compete? Buy 'em out and kill 'em off...

Re:Blackboard - the biggest educational POS EVER

[BitHive]

The beauty of the free market is that it always produces the cheapest, most efficient, and highest quality outcome. Even if you work in government, if you are smart enough to let private industry dictate requirements and bid on projects you will always realize a quality far beyond what you'd get if you asked lazy proles like teachers and IT staff what they think.

Re:Blackboard - the biggest educational POS EVER

[ae1294]

always produces the cheapest, most efficient, and highest quality outcome.

O my bad, yeah we are in total agreement then... The corporation does indeed always reap the highest quality outcome!

Re:Blackboard - the biggest educational POS EVER

[zippthorne]

Oh yeah. Get a radio amateur to measure the power levels. 802.11b gear is unlicensed, and as such the maximum allowed power is very low. A local amateur is likely to have both the equipment and the inclination to measure and report violating emissions.

Re:Blackboard - the biggest educational POS EVER

[AK+Marc]

I guess it takes a regular radio operator to figure it out. The Capitan Cook Hotel in Anchorage is broadcasting so strong it has to be illegal. I've wanted to report them, but I have no idea how.

Same for me!!!!!! Except.....

[tacokill]

Same for me! Right up until I realized the kid was 9....

Come on, really? You're gonna make that comparison?

Kidding?

[grishnav]

I thought I was only kidding when I said the security on Blackboard was so bad a 9 year old could hack it.

Re:Kidding?

[matrim99]

I thought I was only kidding when I said the security on Blackboard was so bad a 9 year old could hack it.

Yeah, they took your advice into consideration when they implemented a "Please enter your age" pre-login screen to block out those nefarious 9 year olds.
Looks like the wiley bastard must have lied about his age too.

</fiction>.

Re:Kidding?

[Stick32]

I guess you could say, "hacking Blackboard..." *sunglasses* "is child's play..." YEEeeEeEAAAaAaAAaaaAAhhhhh!!!

Re:Kidding?

[skine]

It's Child's Play?

So even a doll can hack [at] the system?

Re:Kidding?

[TheVelvetFlamebait]

That was so unbelievably lame, I actually laughed. :-)

you can't seriously be defending childs

[circletimessquare]

childs had a god complex: "i am the only one who has the right to administer this network"

he built the network for san francisco. san francisco had every right to do whatever it wanted to do with the network they hired him to build. if san francisco wanted to hand out passwords to the network to hackers, san francisco has that right, and childs has no right to any say on the matter

the man was not protecting the security of the network, the man believed he and he alone had a right to decide what to do with the network. the man has boundary issues: he felt attached to the network like it was his child. he probably invested a lot of time and energy into it, but so what? there's such a thing as taking pride in your work... then there is psychotically remaining attached to your work and assuming you and you alone can forever more decide how your work is used

he was reimbursed for his work. end of story. his actions are completely indefensible. the man needs psychological help, you have no valid basis to defend the wackjob. lock childs up, he only deserves punishment and psychological treatment

and furthermore WHERE THE HELL DO YOU GET OFF COMPARING TERRY CHILDS TO A NINE YEAR OLD

Re:you can't seriously be defending childs

[tsstahl]

his actions are completely indefensible.

Really?

Not a zeroeth law fan are you?

Childs is an ass. I think we can all pretty much agree on that. However, his initial actions that started the cascade of buffoonery were well within his job description/duty. If as a worker bee someone outside my management structure, yet still well placed, asks for the keys to the kingdom, I'm going to politely point that person toward my management structure to service the request. If it can be immediately shown to me that providing said keys in a timely fashion could prevent some sort of real harm, physical, or virtual, I'll make the call, otherwise, let my boss tell me.

Re:you can't seriously be defending childs

[spazdor]

there's such a thing as taking pride in your work... then there is psychotically remaining attached to your work and assuming you and you alone can forever more decide how your work is used

you should be arguing about copyrights before Congress.

Re:you can't seriously be defending childs

[T+Murphy]

Comparing Childs to a nine year old sounds just fine to me. Comparing the nine year old to Childs wouldn't sit as well, though.

Re:you can't seriously be defending childs

[mikael]

I believe he feared that his line-managers would change the configuration settings in some way then turn around and say, "See, he configured all this wrong, and created a whole load of security risks. You shouldn't pay him compensation."

So when he hands the keys to the mayor, he knows that they can't do anything like that.

I would be embarrassed...

[sircastor]

... If I were the school's network admin, or even the district tech person. Granted that this may be a matter of simply finding a password/watching a password. I remember when I was in 6th grade, we had a teacher who would hunt and peck his way through is password. It was easy enough to catch it.

SOoCs?

[Hognoxious]

But police and school officials decided no harm, no foul.

Pity it doesn't apply in all cases.

I guess embarrassing a school board over lax security is less serious than embarrassing the Pentagon over a complete absence of it.

Surprising response from THIS Police department

[schwit1]

Law enforcement agencies in Northern Virginia say you have no right to know what they're doing

Obviously...

[ewilts]

...their IT folks are not smarter than their 5th graders.

Re:Obviously...

[flanders123]

Obviously...People that modded this +3 funny did not read the FIRST SENTENCE of the FTA. I didn't know Dane Cook read /.

Re:Obviously...

[SleazyRidr]

I would postulate that a person not smarter than an 5th grader would also not be smarter than a 3rd grader. (This relies on the assumption that a 5th is smarter than a 3rd grader, which is kinda the point of schooling...)

The joke relies on knowledge of a game show known as 'Are You Smarter Than a 5th Grader?" If you've never heard of it, I don't blame you, it's pretty stupid.

tl;dr- WHOOSH!

Ahhh

[The+MAZZTer]

Reminds me of the time my HS computer teacher accused me of "hacking" into the network.

What did I do? Pretty much opened Internet Explorer.

Someone had set it's homepage to a local network drive instead of the usual homepage. I noticed this and opened up the folder to see what it was (it was a dev server for the school website or something). I was going to poke around but then it dawned on me that school website code was going to be horribly boring to read so I closed the window and forgot about it.

So then the teacher comes up to me and accuses me of guessing the computer name, poking around in its shares in Windows Explorer and somehow hacking past password protection. Keep in mind there was, in fact, no password protection (or my account was mistakenly given access).

I guess I need an ending to this story hmm. Later that year she left the school right before the end-of-school awards ceremony (she was the only teacher ever to not be present and not give any awards out while I attended. Every teacher AT LEAST gave certificates out for As and most also gave plaques out for special accomplishments). She had even promised T-shirts to anyone who could type over 50-wam in a contest thing she ran. I scored 53 and I'm still waiting for my T-shirt.

And the login was...

[wo1verin3]

login: iladministrator
pass: xxx

Icon Unisys for life

Re:And the login was...

[Mr.+DOS]

Pretty sure the password was hunter2.

Re:Same for me!!!!!! Except.....

[Rhaban]

Come on, really? You're gonna make that comparison?

Comparison seems fair to me.

Terry Childs name is Childs, the kid is a child... the cases are very similar.

Underage Contractor?

[Mr+Pleco]

Does it still violate child labor laws if I hire him as an independent contractor?

Channeling Groucho Marx...

[bynary]

A child of nine could hack this system. Send someone to fetch a child of nine.

seriously ;-) lol

[circletimessquare]

terry childs went to the RIAA school of system administration

Re:FTFA

[FlyingBishop]

My impression is that this says more about Blackboard's security than anything else.

Time to switch to one of the FOSS (and in many ways superior) alternatives:

Moodle and Sakai

Really, it's amazing Blackboard is still around with two full-featured FOSS competitors in existence. I guess it's just testament to the power of lock-in.

explained in that fashion

[circletimessquare]

his actions ARE defensible

so either you would make a very good defense lawyer, or your understanding of the situation is superior to mine

the way i understood the story, multiple levels of the administration made multiple requests on childs for access and he psychotically refused, for a long period of time, even as the press got wind of the story

then he grandstandingly renders access only to the mayor, in person. pffft

i mean, if i built a system for the pentagon and then insisted i would only give access to president obama in person, after repeated requests for access over multiple levels of pentagon hierarchy over a long period of time, that anyone lower than the very top man was merely a "worker bee", then you can safely call me psychotic

so either my understanding is wrong, or you're a smooth talker

Re:explained in that fashion

[boxxertrumps]

the way i understood the story, multiple levels of the administration made multiple requests on childs for access and he refused, for a long period of time, even as the press got wind of the story

then he renders access only to the mayor, in person.

Sounds much more reasonable when you take out the adjectives.

Re:explained in that fashion

[AK+Marc]

so either you would make a very good defense lawyer, or your understanding of the situation is superior to mine

I vote for the latter.

so either my understanding is wrong, or you're a smooth talker

Or both?

Strictly speaking, the city screwed up royally. They asked for him to perform work duties after they fired him. They realized they screwed up, so they lied to the police to get him put in jail until he answered questions they had no right to require answers to.

If you have a description that makes mine factually incorrect, please point it out. Regardless of what he did and didn't tell anyone, I've never heard of someone who didn't work for the government that was thrown in jail because they didn't sit an exit interview and answer every question asked. It's simple city abuse of power, throwing the weight of the city against him because they screwed up in handling him prior to that.

Whether he's an ass or whatever is irrelevant.

Re:FTFA

[RobDude]

Ineptitude of the admin accounts for 99.9% of student hacker stories.

This kids are not discovering some new exploit and utilizing it. In the most malicious of cases, the kids are taking advantage of a well known issue that they found an app for on the net, or installing a keylogger on a teachers machine before class.

And if you've got junior high kids who have managed to learn enough on their own, at that age, to do that; give them a free pass and ship them off to MIT.

Re:I doubt the kid is the 2nd coming of Kevin Mitn

[Monkeedude1212]

When I was 16 I learned about SQL injection and inserted fake records into the high school database. I'll admit, my vulgarity probably wasn't necessary. I got a very firm slap on the wrist from the principal and my parents, and a very firm handshake by the IT Teacher. The next year I finished all the programming (VB) modules in the Computer Technology class, and did web page design (basic HTML, no scripts or css). In my last year, the IT teacher approached me about helping him rebuild the system I broke into in my first year. I of course felt obligated, knowing the damage I COULD have done.

Man... Good times...

I look back on it now and it seems obvious why I could never keep a girlfriend...

heck yeah Ender!!

[Chaseshaw]

heck yeah Ender!!

Blackboard

[Arancaytar]

Is the proprietary online education platform with an apparent side job as a patent troll, if memory serves.

Given its closed nature, I wouldn't be surprised if their software is full to the brim of SQL injection, XSS and CSRF vulnerabilities that an interested elementary school student can exploit.

Re:Blackboard

[Arancaytar]

It's a web portal, so it's a good guess they're using *some* SQL database server.

But I also read the technical requirements document to find out, and they seem to support Microsoft's SQL Server as well as Oracle as a backend.

Use the source, Luke.

[crono_acl]

Quick, someone measure his hacker-midiclorians.

Re:I doubt the kid is the 2nd coming of Kevin Mitn

[Beardo+the+Bearded]

Oh, you mean little Bobby Table?

') DROP TABLE

There's an xkcd for that, but it's firewalled at work. I can only assume one of the IT folks reads /.

Cause?

[DavidD_CA]

Given the media's propensity to use the word "hack" whenever possible, did the child actually "hack" Blackboard, or was he able to guess someone's password?

Or, as I've seen on rare occasions, did an administrator give the boy administrator access by mistake? (Sometimes, teachers will attemt to make a student a TA and select the wrong option.)

I got accused of "Hacking" also...

[DarthVain]

I don't think many teachers really understand the word. I got suspended from school for "hacking" and bringing down the school network.

I was in computer lab, which were all Macs, and not "Cool" Macs everyone has now, but the big square brick shaped monochrome screen macs. We had one PowerPC I think. Anyway I digress. So I was in lab finishing up an assignment, when I saw an option in the menu to "encrypt" my floppy disk after I had finished saving (as if I haven't dated myself already). Knowing what encryption was, and thinking it was neat that the option was available on the Mac I encrypted my floppy with a password to protect all my really important and top secret labs etc..

Fast forward to the next day. I get brought into the Principals office in the morning, and accused of taking down the system. To which I have no idea what the hell they are talking about.

Anyway long story short, my buddy that was sitting beside me, saw what I did, thought it was neat, and tried it himself. The differance being rather than selecting the "A:" drive... yes that's right he selected the "C:" drive. Encrypted the whole damn computer.

Big deal you say? Well this was back when people still used "Ring" networks, which required being able to talk to its immediate two networked neighbors to function properly. One of them now a lump of encrypted uselessness. Though in defense the system was set up by our Grade 10 math teacher, not an IT professional.

The guy also had no idea what he had entered for his password. Whole machine had to be wiped and re-installed. Which they also made me do as "punishment" after my suspension.

Why did I get accused? Because they basically said my buddy wasn't smart enough to do it on his own, and that I "enabled" him to do it. So ya... that's how I got suspended for "hacking" when I was younger. I would not be surprised if it is something as idiotic or more so in this case.

Re:I got accused of "Hacking" also...

[profplump]

6/10. Next time remember that drive letters belong to DOS, that most of the Mac with built-in monochrome CRTs didn't have internal hard drives, that token-ring devices were typically connected to a MSAU that took offline hosts out of the loop, and that encryption was not readily available -- particularly whole-disk encryption that can be applied while running from the disk in use -- anytime that the computers described in common use. Also try to work in an offensive or controversial person or group name for maximum effect.

Re:I got accused of "Hacking" also...

[Pozican]

Beat me to the punch. Nice try though OP.

Re:I got accused of "Hacking" also...

[DarthVain]

Well I don't know what to tell you smarty pants.

Understand, that was the line that was fed me. As I said my reaction was "what the hell are you talking about"...

As to your technical prowress you might want to fact check. I did use a monochrome built in CRT Mac, and I did encrypt my floopy disk. That was in 1993 I believe. That I personally know. The rest is second hand information that was fed to me to explain why I was getting suspended.

Re:I got accused of "Hacking" also...

[k8to]

He's not talking about tokenring, but rather phonenet/appletalk which is an overgrown multidrop serial bus. In that system, of course, is just like a 10Base2 ethernet in that it's a broadcast medium and a crashed node will not affect the other nodes in the least.

You *can* have a problem if the server is configured as a router, since it is persistently establishing the 'zone' or roughly the network number for the network, since appletalk is ridiculous there is a whole sad state that occurs where reset or newly introduced computers will be in the 'automatic' network, and the ones that have seen the router lately will be in the routed network, but that would just entail weird effects where some nodes couldn't communicate with the rest.

Re:I doubt the kid is the 2nd coming of Kevin Mitn

[Monkeedude1212]

That one is definately my favourite.

Hack? Nope ... boneheaded admin? Yes

From TFA ... "a student's account at Spring Hill had been enabled with administrator privileges"

Sounds like the kid didn't hack anything, didn't use a login from a teacher or administrator. Looks like his account was "enabled with administrator privileges."

Re:Same for me!!!!!! Except.....

[coaxial]

Same for me! Right up until I realized the kid was 9....

So that means we should try him as an adult, right? *snark*

How very sad

[snspdaarf]

I had great hopes that the psychopathic shitheads running the schools in the '70s were all sterile, but TFA and comments prove otherwise.

Re:FTFA

[Kaboom13]

As a youth in high school, I knew the passwords for 90% of the administration. With it I could have changed the grades, class schedule, modify the student record, or even suspend any student in any school in the entire county. How did I know it? I didn't hack anything. Teachers frequently told me their passwords so I could help them with computer problems (the only full time IT staff at the school was hired because he was someone's cousin, and a good basketball coach, and the county wouldn't give them funding to hire an actual basketball coach). It didn't take long for me to realize they followed a simple pattern based off the teacher's name. It was an easy jump to realize the administrators had the same pattern. They were supposed to change it when they logged in the first time but few knew how and even fewer bothered. I could have easily caused a lot of mischief, accessed confidential student records, or boosted my grades (something that would never be noticed because the scantron system teachers used to input grades frequently made errors, and administrators would fix them with only verbal confirmation) but I didn't, because it would have meant violating the trust of a couple of excellent educators who had truly gone above and beyond in a system that rewarded politics and actively punished excellence.

The point being, security in schools is often terrible, and it does not require hacking skills to acquire the credentials or access to systems a student should not have access to.

Thanks for the insight.

[Benfea]

And yeah, I work for a community center where people are more interested in usability than anything else. If I told you half of what goes on here, your hair would stand on end.

Where were your parents?

[syousef]

Where the fuck were your parents in all this???

Re:Where were your parents?

[RobDude]

The high school phoned them the same day they called me down to the office.

In the beginning, I was convinced it was just a harmless misunderstanding so I was all, 'No Mom, it's fine. I didn't do anything.'

And - they'd just threatened us with expulsion - they didn't actually punish us at first. After the first day they took us to the office, we were told to go back to the office instead of programming class. We just sit in the general waiting room and were like, 'LOL - wut?' the six of us.

But my parents did end up going down to the district headquarters and speaking with a superintendent and all sorts of junk.

I was actually pretty lucky; my parents believed me when I told them that I didn't do anything that could be considered malicious. The worst thing I did was make it possible for other students to see my assignments. But they were so over-the-top and unique, nobody would be able to copy them and put their name on it.

My biggest fear was getting in trouble with my parents; so once that was I gone, it wasn't so bad.

on your job

[circletimessquare]

do you clear everything with the ceo in person?

sound reasonable?

Re:on your job

[Vancorps]

Actually, yes, I do. Of course I also print out a reference doc which has all the passwords and that is kept in a safe at the CEO's house and another copy is in his office here at HQ.

Regardless, San Francisco policy at the time was that passwords would only be given to the Mayor, this was explicit which meant that Childs' managers had no right to ask for passwords let alone ask for them in a public setting including many people who weren't authorized to have said information.

The SF case is full of butt hurt public figures doing everything they can to justify their actions which increasingly are seeming more and more unreasonable. I look forward to the outcome of the case as I think it will provide many organizations with a what not to do handbook.

When this case first broke the CEO came to me asking for all passwords and which point I took the opportunity to have this discussion with him and to create a policy which contained advice from legal. In the end, everyone was happy with the outcome and our CEO realizes that he can trust me but more importantly, he understands how important security is. This is a tough lesson to get through to most people. At this company we have a blanket policy, never give out passwords, it's not required. For the edge cases we have an encrypted database where we store information that a few of us need. You of course need to be authorized first. This has eliminated the majority of questions when issues arise and I'm not around.

Re:Blackboard XSS

[Omniscient+Lurker]

You can get Admin in blackboard by running some javascript on your computer. Authentication is done client side via javascript.

You gotta be kidding!

[woboyle]

I imagine this has already been said, in some form or other, but if their systems were SO insecure that an 8 year old could compromise them, then the school officials themselves should be charged with gross incompetence and fired summarily!

I should be impressed?

[mandelbr0t]

This is the pinnacle of 3rd-grade hackers now? Nope, they just don't make them like they used to.

bullshit

[circletimessquare]

"San Francisco policy at the time was that passwords would only be given to the Mayor"

no city the size of san francisco would ever have such a policy

you're a baldfaced lying sleazebag

Re:bullshit

[Vancorps]

lol, that's funny given that all but one of the charges against Childs' was dropped for that vary reason. Continue to think that though, I'm sure it'll lead you to riches beyond your wildest imagination.

Re:FTFA

[fuzzyfuzzyfungus]

Oh, it is so. much. worse. than mere "lock-in".

In order to help define their(utter shit) vs. the not-always-completely-brilliant; but far cheaper and better, FOSS competition, Blackboard has been expanding their offerings in new directions:

Physical Access Control Systems...

Video Surveillance...

And, yes, ID cards, cashless transactions(on and off campus), etc..

Yup. In order to protect their worthless core product from extinction, they've made it possible to bring the same level of quality to basically every corner of your campus and the lives of your hapless students. Be afraid. Be very afraid.

NOT a hack, NEW Wash Post story clarifies:

[superj711]

New Washington Post story today clarifies that it was NOT a hack of Bb – someone found and used a valid teacher login. http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html Local Digest Friday, April 16, 2010; B02 VIRGINIA Boy had teacher's computer password A 9-year-old Fairfax County boy who changed course content and passwords in the Fairfax school system's online teaching system -- including the superintendent's -- accessed it using a teacher's password, officials said Thursday. The school district detected the problems last month and, with the help of Fairfax police, tracked them to a McLean boy's home computer. Police obtained a search warrant that said Fairfax's version of the widely used Blackboard Learning System "had been hacked" and that the boy's Blackboard account had "administrator privileges." Blackboard and school officials clarified Thursday that the boy had not found and exploited a security vulnerability, but rather that he had obtained a teacher's password. Fairfax schools spokesman Paul Regnier said the boy was able to use that access to enroll other users, including Superintendent Jack D. Dale, into his class and could then change their passwords. -- Tom Jackman

Re:NOT a hack, NEW Wash Post story clarifies:

[sreservoir]

if a teacher can change the superintendent's passwrod, you have a problem right there.

Foolproof sucked badly

[voss]

I say this as an educational IT person. It caused more problems than it solved and I wound up removing it from all the computers
  within a year of starting my job at my school.

Re:Foolproof sucked badly

[Bob+Cat+-+NYMPHS]

Ten years ago, I went over to the local Jesuit University library to do some research. Cool, they have computers [Win98]! What can I do? Hmm, not much. Stuff is missing - they locked it all down somehow. Wait, there's something...

Foolproof? WTF is that? Clickety click...

Owned in thirty seconds. Not just that PC, the whole network.

Twenty years before that, we only managed to escalate our privileges a little - but that was on the uni's mainframe.

Thats not similar

[voss]

Robdude was simply trying to make it easier to do his class work with no malicious intent, you were hacking. You got off easy, he got screwed.

ok asshole

[circletimessquare]

then what IS he being charged with

Re:FTFA

[tompaulco]

Really, it's amazing Blackboard is still around with two full-featured FOSS competitors in existence. I guess it's just testament to the power of lock-in.
Software companies that charge for their products can afford better salespeople. I'd wager dollars to donuts that most school districts are not even aware of an Open Source alternative. Blackboard calls and says they have software to sell. Open Source doesn't call anybody. Guess who wins? Blackboard. Guess who loses? Everyone who pays taxes.

Re:FTFA

[yashachan]

So /that's/ what Moodle is. A link for it showed up on the student portal at some point this semester or last. I couldn't figure out what it was, nor did I care enough to look it up. I'm guessing some math/CS professors got fed up with Blackboard and finally twisted IT's arm far enough to get them to set it up. Most professors still use Blackboard.

As an European I respectfully disagree

[LienRag]

Well, America is a free country.
We are a free people.