Some friends and I hacked Blackboard last year. We exploited it by smuggling null bytes (0x00) via. their WebDAV protocol.<p>This made it possible to hijack other accounts, including our professors'. So we hacked our own grades and then reported it. Luckily we didn't suffer the same fate as Demirkapi.<p>Blog post here: <a href="https://bustbyte.no/blog/how-we-hacked-blackboard-and-changed-our-grades" rel="nofollow">https://bustbyte.no/blog/how-we-hacked-blackboard-and-change...</a>
I'm confident that if you poked around the software of the vast majority of organizations in this world, you'd find "SQL injections galore". There is just limitless amounts of old code that no one has the resources to address. Should the information on students be well protected? Of course. Have you ever seen the software running your local dentist, doctor, insurance office? It's just impossible to spend money and fix things that already work.
Me and my friends had a lot of fun hacking into our school IT systems in high school. We took security as a challenge, not as a warning.<p>At various points, we had a shared file server for sharing movies and music for the whole school, bypassed the proxy (which also gave us a vastly improved connection speed), had Unreal Tournament 99 on the computers (this was ~2010, but it was one of the only games that would play well), we figured out how to send messages to all computers (using Novell Zenworks or something), and eventually a few of us just had full root access to the entire system. We also had lots of fun with fork bombs, setting peoples desktops to porn (we weren't meant to be able to change our desktop but there were workarounds), and the occasional broadcast storm.<p>If only we had known about bitcoin at the time, we'd have become rich running a mining network on the school computers.<p>Luckily, our school had a very relaxed attitude to our shenanigans. We generally avoided doing anything actively harmful and we also got a few free passes by helping the IT staff when they had problems (they were useless at their job).
I had a similar experience being 13, but luckily for me it only involved my own highschool website and data. I found a blind sql injection and got access to the credentials of any user. I wasn't a particularly mature 13 y/o so I started messing around.<p>My highschool reported the incidents and I got caught in a few weeks. I almost went to trial, my hard drive with my StarCraftII campaign almost finished was confiscated (I haven't seen it again since that moment) and it was overall an instructing episode. It didn't go any further because my parents had good relations with the highschool's direction and they withdrawed the report as soon as they knew it was me.<p>In the following years I kept in contact with the webmaster and I remember feeling very encouraged to report any other flaw I could find to him. I found a few more things over the years, but most importantly learned a lot.<p>Every time I read news like this I remember how grateful I felt when my highschool not only forgave me but also helped me keep learning. I believe it can make a difference, and even more so when dealing with younger kids.
>Demirkapi passed on his findings to his school's IT department. However, it ended up being viewed by every school in his district and he was suspended from school for two days.
I live in the town where this happened. A lot of us parents already hated the software involved. On the other hand, it's not clear that alternatives would fare any better. In my experience, software specific to non-technical orgs like schools or doctors' offices is uniformly terrible not just in terms of security but all over. I wouldn't be at all surprised if competitors' software was even worse. Such is the state of the world.
Blackboard. Ha ha ha. Blackboard.<p>When I was in school, there was a vulnerability where you could reach courses that you didn't belong to, simply by changing the id in the URL. A couple of students got punished (banned from school computers for months) for exploiting this (to leave a message on said courses). As of a year later, the vulnerability was still not fixed (although the messaging infrastructure was disabled).
That correlation is very frustrating -- people should take this more seriously, but those who discover things are punished... should be pretty obvious why security is way it is, right?
True story: I inadvertently hacked the Smart TVs at my college once. They are typically always showing announcements, and they let student clubs post messages with the approval of Student Life.<p>Well, after a software update, nobody noticed that the permissions system for the TV was disabled. So I come along, a few weeks/months/? later and make an ad for Math Club, and it went live immediately. No Student Life approval.<p>Of course, this isn't a glamorous bug. Briefly thought, "Man, if I was a bad guy, I'd totally post some really _shocking_ material." I wasn't a bad guy though, told Student Life, and they fixed it.<p>EDIT: There is a shared account detailed in the Club manual on how to create a TV ad (for context).
An article with more details is here:<p><a href="https://www.vice.com/en_us/article/59nzjz/teen-security-researcher-bill-demirkapi-suspended-for-exposing-vulnerabilities" rel="nofollow">https://www.vice.com/en_us/article/59nzjz/teen-security-rese...</a><p>This article has more details about the reasons Demirkapi was suspended. Apparently he first tried to contact Follett (the software maker) directly, but they ignored him. He then tried to use the software itself to send a message Follett, but the message was instead broadcast to a large number of parents, teachers, and administrators across the district. This does seem pretty irresponsible, and Demirkapi said he understood the reason for his suspension.<p>Thus, this doesn't seem like the usual "person reports vulnerability and is punished for it" story.<p>Of course the ultimate responsibility lies with the software makers who have these vulnerabilities in their software and who don't respond when someone reports them.
This was the case when I was in school too. (Gesh, it's been that long already?!).<p>I bet most schools are in a similar situation. Lack of a proper budget, cheaply made software sold by shady vendors, IT staff that isn't properly trained, etc.
This kid seems a lot more responsible than I was when I was in high school.<p>Taking about manipulating the URL parameters... yeah, I used that trick to apply discount codes way back in the day. The web form wouldn't accept them, but if you bolted them on to the URL after that step in the checkout process, they'd blindly get applied to your cart anyway. Found one for like 95% off a CD, and used it on a laptop at BestBuy. 15 year-old me thought he was really smart, but mostly he was just a vandal and a thief.<p>Best line:<p>> "Don't fall for marketing. Just because (vendors) say they take care of data doesn't mean they do."
A good friend of mine got suspended for a semester after he found a pretty trivial flaw in his university's password reset form that would ultimately allow him to reset the password of anyone who had an account on the school's network including faculty and administrators. IT discovered him, locked him out of the network before he was able to report it, and threatened to take legal action. From what I've heard, they never fully fixed it. He went to a technology university mind you.
I found the same thing in high school. Except that I didn't tell anyone, and it was fixed after a few months. I guess someone was looking at request logs after all.
As a current high school student I know that my school's software has similar weaknesses. I talked to our IT "department" (we only have one active person that I know of) and he said the district does not really have anywhere to bring up the issue.
My school (biggest school in Germany in the time) had VNC Server running on all PCs, so the teachers could check what there students where doing. Surely enough they used the same password on every single PC in the whole school. Fun times.
For a 17 year old, that is brilliant. But he has to look after himself because obesity problems create bigger problems. You can not spend so much time in front of a computer. Take a walk. Do some sports. You can be a good hacker too. Peace man.
<a href="https://www.wired.com/story/teen-hacker-school-software-blackboard-follett/" rel="nofollow">https://www.wired.com/story/teen-hacker-school-software-blac...</a>