3rd Grader Accused of Hacking Schools' Computer System

Gud writes "According to The Washington Post a 9-year-old was able to hack into his county's school computer network and change such things as passwords, course work, and enrollment info. From the article: 'Police say a 9-year-old McLean boy hacked into the Blackboard Learning System used by the county school system to change teachers' and staff members' passwords, change or delete course content, and change course enrollment. One of the victims was Fairfax Superintendent Jack D. Dale, according to an affidavit filed by a Fairfax detective in Fairfax Circuit Court this week. But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker.'"

Dade Murphy?

[Tumbleweed]

Zero Cool strikes again. Mess with the best, die like the rest!

Re:Dade Murphy?

[cosm]

When I was in high school, I was in the library one time working on a project. The internet was acting flaky, so I fired up the command prompt. A nearby librarian saw me running ipconfig, and immediately notified the principle. I was sent down to the office and screamed at by the principle and a few other administrators for exhibiting 'possible terrorist activity'. They banned me from computers for the rest of my senior year, and I had to go to 2 after-school detentions, (A+ student, no prior record at the school). Even after trying to explain myself to the district IT admin, I was fed the line "You were doing something unauthorized, so you pay the price".

Fuck you WHS.

Re:Dade Murphy?

[severoon]

Whoops, I think there's a minor error in this summary and the headline of the article. It should read, Fairfax County public school system administrators criminally negligent in securing sensitive data. There, glad I fixed that...

Re:Dade Murphy?

[gnasher719]

And you are wondering why Europeans laugh hysterically when Americans tell us they live in the freest country in the world.

More likely,

[PhrostyMcByte]

Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!

Re:More likely,

[Rary]

Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!

Actually, although TFA doesn't provide any details about how the "hack" occurred, they do differentiate between this and a similar case where someone merely obtained someone else's password. The implication of the article is that there was actual technical skill of some kind involved.

Re:More likely,

[$RANDOMLUSER]

Even more likely: Had security been adequate to keep out a determined nine-year-old, it also would have completely stymied the teachers and administrators.

Even more likely than that: Some teacher who "knew a lot about computers" set up the system in his/her spare time.

Re:More likely,

[commandermonkey]

ABS News has another article about the incident:

According to a search warrant, the computer savvy boy was able to get a hold of an administrator's password at Spring Hill Elementary to get into the Blackboard learning system

http://www.wjla.com/news/stories/0410/726170.html

Re:More likely,

[nametaken]

Let's not make excuses for the fact that Blackboard SUCKS in every conceivable way, as it has since schools first started using it.

If there's any problem at all with some staff member's abilities, it manifest itself in the decision to license that pile of trash in the first place.

Re:More likely,

[spazdor]

Yeah, preteens ain't got any skillz unless they've coded their own sploit. I bet this kid doesn't even know how to write kernel patches. What a retard.

Re:More likely,

[RobDude]

Nobody cares - but here is my evil 'hacker' story.

When I was in high school, I was kicked out of my programming class, along with five other of my friends. We were marched down to the principal's office. I was given the title of 'ring-leader'. It was interesting stuff. Apparently, I was an evil hacker.

At first, I was like, 'Don't worry guys' because, after all, I didn't do anything bad. I did some cool stuff - like a program to change the desktop resolution, so I could write code in 1024xwhatever instead of 800x600. We'd also enabled sharing of our network drive so that we could work on our class stuff from anywhere in the building (which meant I could do homework in the library).

When I was in the room with the principal, she asked me to explain what increasing the resolution did, exactly. I tried my best, I told her....'Well, ummm....it means there are more pixels on the screen than you'd have otherwise....and it....ummm....gives you more space.'

She paused....and said.....'So, you mean to tell me, you were able to see parts of the screen you weren't supposed to? Did you ever think that maybe there was a reason those parts of the screen were hidden!'

I'm not joking. I'm not exaggerating. And at that point, I was basically forbidden to speak. Her mind was made up, my fate was sealed.

I thought it was a pretty good explanation from a 16 year old kid who didn't really know jack and who was fairly nervous at the time.

I was threated with expulsion from my school, kept out of class, given an F in my programming class (prior to this, I had an A+ and would literally go around and help other kids, the same as the teacher would. I'd spend hours in the library making my program do things far beyond the scope of the assignment. I was a great student).

Eventually, after much drama, it was decided that I could remain in my school - but that I couldn't touch any school computers for the rest of my high school years. That's to say, for the entirety of my senior year, if I was in English class and we were supposed to type a paper - I had to sit there and not touch a computer.

The stupidity is overwhelming to the point where it seems unfathomable.

I still don't know what trigged it all. The things I did, I had permissions and access to do - so I don't see how that really fits as hacking. We had an idiot running the school, and apparently, an idiot running the IT department. I'm guessing that nothing was locked down and someone did something actually malicious and they looked and saw that, OMG, some kids are working on their homework in the library via their network drive! And so, we (and more specifically, I) became the target of their rage.

Schaumburg High School/Sharon Cross - you suck.

Re:More likely,

[RobDude]

In my experience - this.

I don't know why schools are this giant black hole of suck - but they are. My school was very well-to-do, and had some of the highest paid teachers in the country. I don't know why they could find an IT guy who could follow industry accepted best practices.

If you can't stop a curious, bored, student - who really doesn't know jack; you have no business working in IT.

I love how everyone wants to attack the kids in these school + computer security cases. Nobody ever wants to talk about the trained 'professional' whose job is to prevent these things - getting schooled (haha) by a kid.

Instead of kicking the kid out of school - why not fire the IT guy, get a real IT guy, and then, let the kid (who will proudly offer it up) show the new IT guy what he did. The new IT guy will shake his head and go, 'Yeah - that should be locked down'.

Re:More likely,

[AngryNick]

As my 8 and 12 year old daughters have explained it to me, it is more likely that Junior guessed the username/password for a few key accounts and leapfrogged up the food chain from there. The student accounts in the lower grades are generally based on the student's id and a formula driven password that any 2nd grader could figure out. More cracking that hacking.

This is just one more thing to add to my list of worries for my girls:

• Getting knocked up
• Locking me out of their Linux machines
• Going to jail for hacking blackboard

Re:More likely,

I don't know why schools are this giant black hole of suck

Multiple reasons. First off, schools don't pay shit. If you have the skills to do IT for public K-12 schools then you have the skills to get a far better job in the corporate world. And secondly, schools are horrible places to work. I worked in IT from 1996 through to the summer of 2009. During that time I had a couple of short stints where I worked IT in two separate K-12 school districts and they were easily the worst jobs that I have had in my entire life. In one of the places I was something like the twelfth IT director that they had hired in the past few years. The turnover rate was approximately one per every eight weeks. It sucked that bad.

IT in schools sucks because nobody with any skill is willing to do it. It is shitty work, you are treated horribly and you are paid poorly.

Re:More likely,

[Beardo+the+Bearded]

I've got a six-year-old girl, and the only one that I'm worried about is #1. If that happens before she's ready, then I have failed as a father.

#2 gets rewarded. "WTF did you do here? I've got physical access and you've locked me out. Let me order you some RAM and you can show me what you did." (She uses Puppy now.)

Long before #3 happens, there would be a legal and media shitstorm to keep her out of jail. We've got a family lawyer, and really, Blackboard, do you want Everyone to know that a teenager can easily bypass your security protocols?

She got one of her friends to give up their "webkins" password. It's really hard to tell her "that's wrong" when you're really thinking, "fucking AWESOME! High five and ice cream!"

Re:More likely,

[fuzzyfuzzyfungus]

I've done some school IT work.

Here's my experience: The pay is pretty unexciting; but the pressure is correspondingly low. Corp pays better; but teachers are so much nicer to deal with(obviously teachers aren't 100% angels, and corporate isn't 100% nutjobs; but the difference between working in a place where the average response is "Hey, thanks a lot for fixing that!" and one where the average hovers around "OK" or "Well, why wasn't it done yesterday? I have things that need to get done!" makes a fair difference in one's state of mind at the end of the day). Because the pay isn't so exciting, you don't get many of your truly driven types; but because the conditions are OK, you do get better help than you would expect.

The real kicker, security wise, in my experience is the demand for ease-of-use and heavy use of various ghastly legacy software(stuff that shipped with textbooks and whatnot). I spent a lot of time grovelling through psmon traces, trying to get crap to run under limited accounts with as few security-compromising modifications as possible. Still, sometimes, you just had to do gross stuff to make it work.

The ease of use thing caused some limitations as well. Yeah, we knew that kids were bringing in crap on flash drives. Could we have stopped that trivially? Sure. No big deal. Except the shitstorm that would break out when all the faculty and students who shuttle work to and from school on flash drives learn what they can no longer do. Internet filtering was in the same bucket. Yeah, we have a firewall and a proxy, we can be as draconian as you like. Wait, so you don't actually want draconian? Ok. Yup, we knew that we could use Software Restriction policies, make sure that the set of locations that users can write to/mount from external media and set of places from which the system will execute binaries are disjoint, all that stuff. No problem. We could even set it so that ain't nothing gonna run unless the IT department has signed the binaries with their own private key. Guess what? The users, and Admin, would have had our heads. Teachers shoving in CDs from various textbooks and expecting the (usually Macromedia director based) content to Autoplay was a daily use case, among numerous others.

Then you get into the issue of legacy server software. Just as "enterprise" can be used as a epithet when describing software quality, and most enterprises of decent size have some real horrors lurking at the dark heart of their IT-assisted business processes, so does education. Bespoke crap, student information databases that were designed by people who thought that Windows 3.1 was too visually elegant and user-friendly, and that SQL was something that happened to other people, that sort of thing.

I don't intend this as a general apology for the state of educational IT, some of it is incompetence driven; but, a lot of it is pretty much like corporate IT, just with less money(and corporate IT has a few security issues of its own.) The same basic dynamics are in place. Some incompetence, some crap legacy software that you can't get rid of for organizational reasons, some security measures that are possible; but would cost too much or upset too many legitimate users, and so forth...

Re:More likely,

[RanCossack]

I had a similar yet oh-so-different experience in elementary school; I was less innocent to begin with, having found out the school was keeping test scores on a shared network drive with no password while I was trying to do something I vaguely recall had to do with getting a bomberman clone running.

I told a teacher and happily went on my way; a few days later, the principal, a very friendly and well liked guy, called me to his office and nicely asked me not to browse the network shares on the school computers; it wasn't until years and years later that I found out what had almost happened to me.

Years and years later, I found out from my parents that the school IT adminstrator had wanted to press criminal charges against me, expel me, and all that, and had convinced the board to go along with it. The school principle refused to do it and threatened to resign.

Now, after college and after years of hearing all these horror stories from friends and reading about them online, I appreciate what an amazing principal my school had, and how lucky I was.

Re:More likely,

[dominious]

Dear 3 digit UID /.er, we were talking about THIS century...

I'm getting off your lawn

Didn't see that one coming.

[migla]

Pleasantly surprised by the last part of the summary:

"But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker."

Didn't see that one coming. I thought I was in for a story of stupid teachers overreacting and a poor kid dealt with harshly.

In reality

[mbone]

...so the police withdrew and are allowing the school district to handle the half-grown hacker.

Of course, that's just what they are telling the press. In reality, of course, the boy is being put in charge of a supersecret underground Government cybersecurity lab on a deserted island even as we speak.

Blackboard - the biggest educational POS EVER

[Khyber]

I could hack that POS in my sleep, and have multiple times. The University of Redlands has some of the most incompetent IT administrators EVER - hack blackboard, get access to student accounts, surf the web on their network with not a goddamned one of them being the wiser, under an account that I could use to frame that person.

Doesn't help their wireless AP broadcasts into my apartment at such a high power level that it blocks out most of the other wireless APs when it's engaged. 5 bars on my router two feet away? As soon as a game starts up in their sports complex, I lose my router and I get a big fat UoR signal. I hack it EVERY SINGLE TIME and they're still not smart enough after several warnings to ditch blackboard and ResNet and find something more reliable.

Re:Blackboard - the biggest educational POS EVER

[BitHive]

This sounds like BS to me. If Blackboard was so bad, they would fail in the free marketplace and be put out of business. Since the value judgments of the free market are beyond reproach, the fact that Blackboard still exists and in fact is very expensive, means it is highly valuable and therefore good.

I suspect you are just a communist detractor with elitist opinions.

Same for me!!!!!! Except.....

[tacokill]

Same for me! Right up until I realized the kid was 9....

Come on, really? You're gonna make that comparison?

Obviously...

[ewilts]

...their IT folks are not smarter than their 5th graders.