They Hacked Their School District When They Were 12

I&#x27;m almost surprised that school administrators are still pulling the same shit they did 19 years ago. I have basically the same story. I dropped out and got a GED after I was framed by a malicious network admin and expelled, the record of which followed me to each subsequent school. I still managed to work my way into having a career, luckily. But the effects on my family and my development as a kid were significant.<p>Not only is it unfair, it&#x27;s hypocritical. First the school keeps the lamest possible security practices (or none at all), and then they punish the kids that stumble onto unprotected systems. It&#x27;s like keeping unlocked storage closets where kids could get into harsh chemicals, and then recommending the state pursue criminal charges when the kids find them and spill them everywhere. The bigger question is, <i>Why did the school leave the closet unlocked, and why is the school not held accountable??</i><p>To answer the article&#x27;s question, they should partner with other school districts to offer advanced cybersecurity programs to gifted students. At the very least, get the kids to participate in something like picoCTF so they have an outlet for their talents. After-school programs in addition to more advanced online classes will really help.<p>But also, schools should stop being run by moronic fear-mongering administrators with no conscience.

Is it just me or does the story inexplicably blow up the boys tech proficiencies and then almost casually mentions that all they did was log in to school computers with credentials from a post-it on the machine itself in a public space?<p>How are they at fault if said credentials grants them access to unprotected sensitive records and an obviously badly exposed administration system?

I had a similar level of access to my school&#x27;s network when I was 12. It was really easy, just watch the teacher slowly peck-type her password. It was &quot;teach&quot;. That gave me access to everything for her class.<p>Later on she had to log in to the admin account, and that password was &quot;burger&quot;. It turned out to be the password for every admin account in every school in my district. I&#x27;m guessing they were all set up by the same guy, with a note saying, &quot;make sure to change the password!&quot;<p>I had access to EVERYTHING. But, I was a pretty good kid, so I just poked around enough to really verify that I could do anything and then I logged out and never logged back in. I was terrified that I was going to get in huge trouble just for accessing things I shouldn&#x27;t have.

One day (1994) during AP CompSci, my friend was looking for ways to bypass the cheap Mac System 7 lockdown software (&quot;Mac Control&quot; by BDW Software). He found the fill that changed during password changes, and was astonished to find it was the same length as the password. (N character password -&gt; N byte file)<p>Me: That sounds trivial to break; have you tried XOR?<p>Friend: I&#x27;ll try that now. [Tries ONE value] It&#x27;s just XORing each character of the password with 0xC9!<p>Me: Wow, that was fast. Why did you guess 0xC9?<p>Friend: 0xC9 is 11001001.<p>Yes, my friend was a huge trekkie. ( <a href="http:&#x2F;&#x2F;memory-alpha.wikia.com&#x2F;wiki&#x2F;11001001_%28episode%29" rel="nofollow">http:&#x2F;&#x2F;memory-alpha.wikia.com&#x2F;wiki&#x2F;11001001_%28episode%29</a> )<p>We spent the rest of high school getting strange looks from teachers that hated that we always seemed to know their passwords, but also wanted our help fixing their computers.

I wonder if the security guard or the librarian who left the post-it notes on their machines are reprimanded in any way. Or the librarian who left the student list excel file unlocked on the machine, that contains sensitive information.<p>While what the kids did is simple to us, it is magic to these other people who can&#x27;t even fathom the security implications of such a system. And that&#x27;s the scary part. The technology is adapted faster than it is being understood.

I hate that cultural thing where actions like this are treating as something good to be glorified - while simultaneously threatening them with jail.<p>What about not overreacting either way, teaching them right and wrong, legal and illegal too and punishing them in age appropriate way without involving cops.

So close to my own memories! Back in Sydney the mid 90s at perhaps 15 I reconfigured a modem to allow for dial-in then explored the regional network of the NSW education department remotely in the evenings. The machine was intended to serve code, which we set up for diskless network boot and distributed games like <i>Quake</i> for network deathmatch (we also wrote our own from scratch, eg. we had a <i>nibbles.bas</i> hacking competition where we modified multiplayer single keyboard versions to add features ... I recall flamethrowers, mines and lasers). We also used to play <i>crobots</i>. I stopped exploring the network after teachers started perplexingly asking questions if anyone was in the school computer room later in the evening. Similar to the subject of this story, it was really just curiosity, and I was also later offered a job with an ISP as a result of the control obtained, where I made my first RIP advert mistake, learned to tar to and from tape, and other such fun. Also managed to intern at Fuji-Xerox where the Unix admin department had me learn bash scripting, walked me through cabling and network topology management techniques and I got to self-educate through a broad range of Cisco online learning courses. Fun times. Years later used essentially that body of knowledge to design and operate substantial Linux clusters. I have worked in many continents in areas as diverse as embedded, clustering, mobile, digital video, finance, and now run a robotics company in China. At the time I recall I just hungered for knowledge and wanted nothing more than a teacher to point the way to new areas. One of the accidental teachers who popped up on my periphery was Julian Assange, whose <i>strobe</i> got me in to protocol analysis and much reading of RFCs which resulted in announcing ~1999 many discoveries of undisclosed remote OS detection techniques across protocols like ICMP, IGMP, and even ARP. I&#x27;ve since written a few internet standards drafts of my own. Key insight for kids in these spaces ... it&#x27;s harder to create a system and defend it than to find holes in them. The parents are correct to encourage building versus breaking. Breaking is very important also, however, but should ideally be encouraged with a parallel focus on professional ethical development and perhaps anthropological&#x2F;philosophical insights as a personal frame of reference in to the established national&#x2F;educational&#x2F;legal bureaucracies who may otherwise seek to spurn talented and unique individuals such as these.

The district should hire these guys, because they&#x27;re obviously more competent than the current IT staff.

Speaking to the ineptitude of the district, you have to understand that a lot of districts are horribly understaffed and&#x2F;or mismanaged. &quot;Best practices&quot; from an IT perspective is often an unknown or misinterpreted&#x2F;ignored to band-aid disparate systems RIGHT NOW because someone forgot to renew a license or so-and-so at DO got this great deal on some (most-likely) Pearson product from a frat-brother&#x2F;neighbor&#x2F;family member. There is no room for growth professionally and not much in the way of training&#x2F;certification that doesn&#x27;t require the employee learning on their own time and dime.<p>Soul-crushing lack of accountability is a factor as well. Outside of physically assaulting someone or stealing a bunch of shit it is almost unheard of for someone to be terminated for either incompetence or negligence unless it&#x27;s so optically bad for the district or administration as a whole that they have no choice.<p>Then you have to take into account the skillsets that you&#x27;re left with when capable people leave. In my experience, those that can swim best often jump ship first and with them take knowledge that was either carelessly preserved or is totally unattainable by the staff that remains. Positions are sometimes never back-filled leaving less capable staff to pick up slack and the cycle continues, things get overlooked and stagnate and smart, bored kids own your ass.

With the school being technically inept, how did they get caught?

If they just got in, didn&#x27;t break stuff, didn&#x27;t copy test papers or change grades, didn&#x27;t victimise anyone - just took some electric and processing power - then they resisted a lot of temptation (or didn&#x27;t realise quite the power they were holding).<p>Give the proceeds to charity, repay the electric from their own pockets (eg by doing chores), get them on a course or give them hardware to set up comps they can hack at legally.

So they mined crypto, installed backdoors, accessed camera footage... and the story is generally positive and defensive of them[0]. This clearly goes beyond &quot;just a prank&quot; and depending on the severity ranges from very irresponsible to anti-social and malicious.<p>[0] for the record I don&#x27;t mean it shouldn&#x27;t be, it just sounds bad enough, so imagine how bad a non-charitable take would be

A school system, where this level of potential and passion goes unnoticed and unharnessed for good, is a broken system. The full extent of their exploits remain unclear, due to ongoing legal action, but it should have been detected well and truly before it got to the CCTV access stage.

Similar story here, but very different outcome. Messed around a bit in junior high, but in senior high our school had their home-built web-based intranet. Several security issues (at least half of OWASP 10 basically), so escalated that to full access of db with cracked account passwords. Windows AD network and I don&#x27;t remember the details but it involved a service account with a weak password, Remote Desktoping into some admin server and getting a local copy of a database with NTLM hashed passwords, cracking those for all users. I didn&#x27;t actually do anything much apart from just exploring the security aspects. Didn&#x27;t probe in private messages between teachers (definitely in their internal message boards though!), try to look at the grading database, etc. Eventually got caught because one of my two friends who were in on this had got caught having the wrong window open at school and they got on to us.<p>That was nerve-wrecking.<p>There was a whole internal crisis around it - it was not a huge school, private IT and media school with less than 1000 students at the time. They had logs that made me have to admit and I effectively got cut off the AD. Game over.<p>However, I still had a private 0day for the intranet so I could see what they were writing about what to do with the situation. It seems like the consensus was to turn us in to the police - just like with the boys in the article. But then our head of school posted an MP3 file on an internal closed message-board arguing for how this was not a way to to this and instead we got &quot;detention&quot;; I had to build a web app and database for connecting students to companies for internships. Which was pretty fun.<p>Some time after graduation and military service, the head of school calls me out of the blue and wonders what I am up to now. Apparently he had moved on from the school and was now working with one of the most famous web entrepreneurs in our country with a small startup in the town where I went to high school.<p>So that&#x27;s how I got my first full-time job, where I learned a lot.<p>Morality aside, which approach was more constructive here?

My freshman year of high school we had similar access. Mostly used it for auto-installing Doom on all the library computers at once every time the poor admin went through each computer and manually deleted it.<p>One friend wrote a fake login program that would immediately quit and run the real login program so we could collect credentials.<p>Another friend got in real trouble though, supposedly for either trying to or actually changing grades. I knew we could get in trouble. But I also never would have considered doing anything other than pranks.<p>Of course, even pranks can be dangerous. One of my friends found an open mail server (not that there were any shortage of those at the time) and sent some prank emails that could have gotten him in real trouble.

This article and all the comments here are really making these kids out to be heroic geniuses. Maybe, just maybe, they knew they were breaking some pretty serious rules. Because, you know, while not exactly geniuses, they weren&#x27;t idiots either.

I first profiled the story of one of the two boys at <a href="https:&#x2F;&#x2F;k12cybersecure.com&#x2F;blog&#x2F;moths-to-a-flame&#x2F;" rel="nofollow">https:&#x2F;&#x2F;k12cybersecure.com&#x2F;blog&#x2F;moths-to-a-flame&#x2F;</a>. AMA.

The school taped passwords for anyone&#x27;s eyes. What did they expect? Based on the available info, all the boys did was use available login details, and installed remote login software and cypto mining software and played cia surveillance.<p>The school&#x27;s extremely negligent &#x2F; tech poor and they want to hide their embarrassment by blowing up the skills of the boys. Anyone who has used team viewer will testify that it&#x27;s impossible to hide a remote viewing session from the client screen.<p>The boys should sue for entrapment.

At the ETS in Amsterdam the system was set up in such a way that you only got so many compute seconds per schoolyear. I spent nearly all my budget defeating the accounting system so I could have unlimited computer access. That and drafting classes were the few interesting things in that school, the remainder was very basic electro technical and electronics stuff.

If you like this story you may like this podcast episode. 15 year old hacks his school and gets more than he bargained for. <a href="https:&#x2F;&#x2F;darknetdiaries.com&#x2F;episode&#x2F;17&#x2F;" rel="nofollow">https:&#x2F;&#x2F;darknetdiaries.com&#x2F;episode&#x2F;17&#x2F;</a>