Not only is it unfair, it's hypocritical. First the school keeps the lamest possible security practices (or none at all), and then they punish the kids that stumble onto unprotected systems. It's like keeping unlocked storage closets where kids could get into harsh chemicals, and then recommending the state pursue criminal charges when the kids find them and spill them everywhere. The bigger question is, Why did the school leave the closet unlocked, and why is the school not held accountable??
To answer the article's question, they should partner with other school districts to offer advanced cybersecurity programs to gifted students. At the very least, get the kids to participate in something like picoCTF so they have an outlet for their talents. After-school programs in addition to more advanced online classes will really help.
But also, schools should stop being run by moronic fear-mongering administrators with no conscience.
After a little playing around we handed the duty technician a post-it note with the superuser password on it and told them we would explain how we found it if they wanted.
I was summoned to the office of the head of IT, congratulated, asked to explain how we did it, and told that we had to keep the password a secret until they had a chance to fix the issues. A week later they told us it was fixed. After I graduated my school hired me as a freelancer.
This is in Australia, but I'm unsure how well my experience generalises here.
Once we were in, we eventually found access to the district website server and found the admin password for the entire district (it was a big district) sitting in plaintext on the school website server.
We were smart enough never to do anything malicious or even questionable, apart from getting there in the first place. And we kept it a secret for years. But the amount of sensitive info we had access to was unreal. That same password was used for every major system (school lunches, grading, etc).
And whats crazier is that about ten years later I had bumped into somebody at a bar who was on the IT staff for that district. He was stunned to hear the story, and even worse, that the same password was still being used.
The computer teacher setup a special curriculum for me that covered discrete electronics and I attended this in lieu of another class.
He was a former x-ray technician and taught me all about resistors, diodes, capacitors, inductors, you name it. He created binders with these components taped to work sheets with technical information.
The school was ran by a moronic fear mongering admin, but there were at least a few good people who saw I was different. I probably wouldn’t be here today if it wasn’t for that teacher.
The school is not only incapable of provoding a quality education for these super smart kids, but they also were exposing everyones data in a negligent and reckless way. Where is the punushment for the network admin?
Seems like the real lesson here is dont be a black hat hacker, or at least if you are gonna do that, dont get caught no matter what. The truth is if they werent minors theyd be totally fucked for this. I imagine lots of us here had similar experiences. Its natural enough to want to explore and play with this kind of thing. But life isnt fair, and that is an important lesson we all have to learn at some point.
If I knew either of these guys I would hire and mentor them right now.
After a similar inicident in middle school, my only punishment was that I had to start a computer club at the school and run it with the IT guy that got pwned.
Although I detested the punishment at the time, it turned out to be a lot of fun. I got to build PCs on the school’s dime.
That's why computer crime laws are so disproportionate (e.g. spray paint a physical sign get a $100 fine, vandalize a digital sign get five-ten years in prison). They were written when a bunch of ignorant lawmakers were freaking out about hackers turn off electricity or wiping out the stock market.
Funding laws could disallow this. For example, in Indiana, two schools cannot jointly hire a teacher. They can both hire the teacher part-time if they'd like, but the teacher wouldn't get full-time benefits. (My father worked as a business manager in different school systems in Indiana).
The entire reason for this is funding laws. I think this is a consequence of funding schools through property taxes, but I'm not sure. I'd really like some of this to be changed so there is more flexibility and less difference between area schools, but that isn't how these are designed.
How are they at fault if said credentials grants them access to unprotected sensitive records and an obviously badly exposed administration system?
It’s like a bank leaving its doors and vault open, and whoever walks in and grabs the money being lauded for his bank robbing prowess.
Also, they are very much at fault for knowingly using someone else’s credentials. It doesn’t matter how easily they obtained them.
Later on she had to log in to the admin account, and that password was "burger". It turned out to be the password for every admin account in every school in my district. I'm guessing they were all set up by the same guy, with a note saying, "make sure to change the password!"
I had access to EVERYTHING. But, I was a pretty good kid, so I just poked around enough to really verify that I could do anything and then I logged out and never logged back in. I was terrified that I was going to get in huge trouble just for accessing things I shouldn't have.
Exact same story on my side, and the password wasn't much better either. The worst is that she hinted at what the password could be (I assumed it was a joke to calm down curious kids) but it was totally right when I managed to actually see that password for myself.
Me: That sounds trivial to break; have you tried XOR?
Friend: I'll try that now. [Tries ONE value] It's just XORing each character of the password with 0xC9!
Me: Wow, that was fast. Why did you guess 0xC9?
Friend: 0xC9 is 11001001.
Yes, my friend was a huge trekkie. ( http://memory-alpha.wikia.com/wiki/11001001_%28episode%29 )
We spent the rest of high school getting strange looks from teachers that hated that we always seemed to know their passwords, but also wanted our help fixing their computers.
> Friend: I'll try that now. [Tries ONE value] It's just XORing each character of the password with 0xC9!
Really? You kids just guessed it on the first try? I'm skeptical.
Meh, believe it or not, it's what happened. The real lessons are that XOR isn't a very secure hash function, and a lot of high school level "security" has often been little more than a cheap facade.
While what the kids did is simple to us, it is magic to these other people who can't even fathom the security implications of such a system. And that's the scary part. The technology is adapted faster than it is being understood.
What about not overreacting either way, teaching them right and wrong, legal and illegal too and punishing them in age appropriate way without involving cops.
Soul-crushing lack of accountability is a factor as well. Outside of physically assaulting someone or stealing a bunch of shit it is almost unheard of for someone to be terminated for either incompetence or negligence unless it's so optically bad for the district or administration as a whole that they have no choice.
Then you have to take into account the skillsets that you're left with when capable people leave. In my experience, those that can swim best often jump ship first and with them take knowledge that was either carelessly preserved or is totally unattainable by the staff that remains. Positions are sometimes never back-filled leaving less capable staff to pick up slack and the cycle continues, things get overlooked and stagnate and smart, bored kids own your ass.
Give the proceeds to charity, repay the electric from their own pockets (eg by doing chores), get them on a course or give them hardware to set up comps they can hack at legally.
It was not lack of access or lack of outlet. It was lack of boundaries and access to school network was not the only behavioral problem mentioned in the article.
[0] for the record I don't mean it shouldn't be, it just sounds bad enough, so imagine how bad a non-charitable take would be
Imo, the actual tech achievement there (for that age) is building mining computer and learning javascript basics from video. Which is more then other kids can do and shows some self motivation.
Also note the article is pretty explicit that this compromised computer gave them access to the entire network. And "servers" is in plural when it talks about crytpo-mining. Likely this is how they controlled the mining operation.
For general cctv, many are installed to allow monitoring while away from the house. Nanny cams for example.
Installing cctv to an existing network will put it online automatically.
The most important issue to consider is these devices - routers, cameras, alarms, locks... come with default passwords. And almost no one changes them. So anyone who knows which port (Shodan search engine, port scanner) to look has a high chance of getting entry.
Although I never tried, I’m guessing that all you would have to do is guess a password (not hard if it’s in a spreadsheet) to a UDP stream accessible through VLC. If you couldn’t guess the password, the software on the cameras is so old that you could find a plethora of exploits to use to get root and reset the password.
That was nerve-wrecking.
There was a whole internal crisis around it - it was not a huge school, private IT and media school with less than 1000 students at the time. They had logs that made me have to admit and I effectively got cut off the AD. Game over.
However, I still had a private 0day for the intranet so I could see what they were writing about what to do with the situation. It seems like the consensus was to turn us in to the police - just like with the boys in the article. But then our head of school posted an MP3 file on an internal closed message-board arguing for how this was not a way to to this and instead we got "detention"; I had to build a web app and database for connecting students to companies for internships. Which was pretty fun.
Some time after graduation and military service, the head of school calls me out of the blue and wonders what I am up to now. Apparently he had moved on from the school and was now working with one of the most famous web entrepreneurs in our country with a small startup in the town where I went to high school.
So that's how I got my first full-time job, where I learned a lot.
Morality aside, which approach was more constructive here?
One friend wrote a fake login program that would immediately quit and run the real login program so we could collect credentials.
Another friend got in real trouble though, supposedly for either trying to or actually changing grades. I knew we could get in trouble. But I also never would have considered doing anything other than pranks.
Of course, even pranks can be dangerous. One of my friends found an open mail server (not that there were any shortage of those at the time) and sent some prank emails that could have gotten him in real trouble.
The school's extremely negligent / tech poor and they want to hide their embarrassment by blowing up the skills of the boys. Anyone who has used team viewer will testify that it's impossible to hide a remote viewing session from the client screen.
The boys should sue for entrapment.
