back to article Nine year-old blamed for US school system hack

Police hunting a hacker who had attacked a US school's systems found themselves cornering a "very intelligent" 9 year old instead, it has emerged. When passwords for teachers at Spring Hill Elementary, Virginia, were changed without authorisation the school board initially thought a hacker had broken into the school district's …

COMMENTS

This topic is closed for new posts.
  1. SuperTim

    took?

    so they were written down somewhere then.....

    tsk tsk, what terrible security. Sound's like teacher needs lessons!

    1. Anonymous Coward
      Anonymous Coward

      You're living in fairy-land

      There's nothing wrong with writing passwords down. It's the leaving them in easy-to-find spots that the teacher needs to work on.

  2. Matt Bucknall

    We all know where this is leading...

    <creepy-robot-voice>Wouldn't you prefer a nice game of chess?</creepy-robot-voice>

    <broderick-voice>Later. Let's play Global Thermonuclear War.</broderick-voice>

  3. Code Monkey

    I agree - not a hack

    I work for one of Blackboard's competitors and don't consider that a hack.

    You can secure an application as much as you like and it's all for nothing if teachers are going to leave login details lying about in classrooms.

    1. Kevin 6

      Agree

      Agree 10000%

      Worked for 2 different schools never want to do it again security is a nightmare.

      One Private school system I worked (quit after 5 months from almost losing my sanity) every teacher (principal and the administration also) had the password 12345.Students figured it out after a week and were screwing around. 90% of the teachers added a 6(they had to paste the all hard to remember password of 123456 on their monitor as well), and the principal used the all impossible to guess 54321(also posted on the monitor)... We tried to force them to change passwords to unique things but they complained to the people in charge and we were forced to change the password policies back to allow 12345... The teachers would also log in the student PC's, and never log out...

      Our servers were even compromised cause we were FORCED to set 12345 as the login for the administrator account...

      I also worked for a college for 3 years 90% of the teachers passwords were the same as their logins(1st initial of 1st name full last name) and they would spell those wrong half the time, and had to have a post it note on their monitor with it...

  4. blackworx
    Alert

    War Games

    That's how it always starts. One minute you're nicking passwords off a teacher's desk, the next you're playing Total Thermonuclear War.

  5. Anonymous Coward
    FAIL

    So... lets apply

    the crapspeak translator....

    a teacher wrote down their username and password, some a pupil stole it.

    That is hardly the hack of the century - is it.

    Time for some more Luser education <sigh>

  6. TimNevins
    Thumb Up

    Wargames

    Next stop. WOPR

    All thats missing a is police report detailing the kids drinking preferences. i.e. a can of TAB

  7. jon 72
    Thumb Up

    Kinder Suprise

    Yep, that's a hack folks.

  8. Anonymous Coward
    Anonymous Coward

    Been there, done that.

    Although I was 13 at the time. Caught the teacher typing her password into the "Econet" for our BBC model B network, and a few minutes later had super user privilages myself, and a couple of my mates.

    It was all fun for us, but looking back a total nightmare for her, as it was impossible for the school to regain control of the network over the next 4 months, resulting in the dept being closed for a week while a contractor sorted the mess out.

    In the end we were suspended from IT lessons for a couple of weeks, before being allowed back after the teacher spoke to the head about us knowing more than her about the system. We got to keep our admin privs too, I'm guessing she was trying to steer us into being responsible users rather than us starting to hack the system underground (once we'd got admin privs, we quickly discovered real ways of hacking into the system using timeouts and simple buffer overflows, and even completely random ways like holding down shift, pressing break, releasing break, releasing shift, then half a second later, pressing break again gave you a command prompt with username-less admin rights)

    1. Anonymous Coward
      Anonymous Coward

      BBC Micros FTW

      I did the same with the BBC Micro network at school, probably the same time as you, they had recently been upgraded to Econet with a whopping 35 megabyte harddrive!

      Security is often too lax at educational institutions, I once managed to delete the login files of a college once without needing to login as an admin, leaving lots of people unable to login.....oops

      P.S. anyone fancy a game of Repton 3?

    2. heyrick Silver badge

      Econet hack, the real way...

      Seeing a password entered or written down isn't a hack. It's just good luck! A proper hack (and a lesson learned the hard way) is like this:

      Redirect VDU output to a serial port hooked to a printer in another room. Run mon(itor), which for some reason known only to Acorn dumped all Econet traffic in hex. Wait for teacher to log in, then spend several hours with a calculator and ASCII chart trying to make sense of pages and pages of fanfold spewage, most of which was just lots and lots of hex numbers.

      Then, sitting on the dormitory floor, the 13 year old me cried. I actually cried...

      *I AM SYST SECRET

  9. Neil 32
    Coat

    He's not a hacker...

    He's a very naughty boy!

  10. Winkypop Silver badge
    Coat

    I remember Chalk 1.0 at school

    Never had a problem then.

    Apart from copping a flying chalk-duster to the head when not paying attention....

  11. Anonymous Coward
    Anonymous Coward

    Throw the book at him

    The Feds should throw the book at this hacker and make an example of him. It probably cost the school in the region $3 billion and could have significant repercussions on teaching ability further down the line. In fact, the MPAA has probably got involved as well as the RIAA. and they should be suing for loss of revenue that can be directly attributable to this hack.

    No doubt his 'mother' will offer a defence based on Aspergers but this should be ignored.

    I'd suggest seven to ten in the State Pen. In fact, no, ignore that. Send him to the chair, or at the very least, the naughty step.

  12. Absent

    The password was....

    Pencil

    1. Fred Flintstone Gold badge

      No, no..

      .. it was 6 stars: ****** - because it was the only thing the password box showed..

  13. Anonymous Coward
    WTF?

    But it is a crime...

    ...and whoever has been drawing salary for supposedly overseeing that school's systems is the perpetrator...

    Got login details from his teacher's desk???? I really do give up... Cunningly sellotaped to the bottom of a drawer, were they?

    1. Tim Bates
      FAIL

      Bottom of a drawer?

      Try bottom of their keyboard... The school I work for has at least one teacher who's done this.

      Funny thing is no one else seems to know about it. Students are yet to find it, and even a few of the staff in the same faculty don't know about it.

      Still, even if that password gets out, they don't have any admin rights on any systems. Normal users should not have rights to change global settings on anything, and admins should be using different accounts for that.

  14. FreeTard

    Quite surprised they ...

    .. didn't throw him in Guantanamo actually. Is that not what they do normally to under age crims?

    Try as an adult and all that US stuff.

  15. Anonymous Coward
    Anonymous Coward

    Blackboard should be hacked.....

    ......into tiny tiny pieces, the implementation of it at the university I attended was a horrible, unmanageable mess, with the uptime of an essex girls knickers, and I am led to believe that we had one of the better implementations of it.

  16. Anonymous Coward
    Anonymous Coward

    maybe not criminal

    but the child sure as heck was not doing it for any altruistic motive

  17. Hedley Phillips

    I hope they throw the book at him

    If it's good enough for Gary McKinnon, it's good enough for the cleva 9 year old.

  18. hplasm
    Grenade

    Good job he wasn't looking

    For alien technology; he'd be off to Gitmo. That's the official penalty for such offences, I understand.

  19. Andrew Moore

    I know our septic friends are a little backwards...

    but isn't 9 years old a little too old for kindergarten?

    1. I didn't do IT.
      Heart

      Re: Too Old

      That's the plan here nowadays...

      Hold them back a year or two, and suddenly they are "advanced" for their grade.

      Just not their age.

      Icon - We are all happy heart people here, eh?

  20. Anonymous Coward
    Troll

    Let off?

    Surely a mistake? It must have cost millions of dollars to re-secure the system. The boy should be extradited to be tried and locked up forever.

    What's the world coming to, when someone can log in to a system, have a look around (for UFOs?), make some changes and logout without being sent to the gas chamber?

  21. Harry Percival
    FAIL

    Blackboard = crap

    I am in the unfortunate situation of having to use Blackboard as part of an online Masters course, and I have to say, I've never seen a worse piece of software. I'm not at all surprised it can be hacked by a 9-year old.

    1. Anonymous Coward
      Headmaster

      You're the failure

      If your ability to read and comprehend this article is anything to go by, no wonder you're baffled by Blackboard.

      I'm guessing you're a mature student, hiding from an unfathomable and stressful real world in the warm comforting realm which is academia.

      E5. Must try harder.

  22. Anonymous Coward
    Thumb Up

    for shure its a hack...

    Of the social engineering type to be exact. When i was this lads age there was a password hint that i got translated by a non IT-minded teacher so i could access the Finder which was protected by apples lockdown tool (whose name i just can't remember).

    They changed the password after catching me. The new one didn't have hint, it was the birthday of the main IT teachers daughter though. They never caught me using that one.

    > He's a very intelligent 9-year-old,with no criminal intent

    Just scratch the "9-year old" part and you get quite a nice definition of "hacker" as it used to be defined before the mass media started calling every eCrim a hacker.

    1. Il Midga di Macaroni
      Thumb Up

      Hacker

      Sir, I bow in reverence to you for being one of the few people left in the world to know the true meaning of the word "hacker".

  23. Joseph Haig
    FAIL

    Very intelligent 9 year old?

    How exactly did the 9 year old get the password? It is not entirely clear whether it was just written down on the teachers desk or whether key-logging or similar was required. In the latter case, I may concede that the kid was clever, but in the former, more likely, case I would say that it was stupidity or naïvité on the part of the teacher. I would also point the finger at whoever set up the system giving teachers administrator access. Why on earth would they need that? With his teacher's account he should have been able to mess around with assessments, but not the passwords of other teachers and enrolment lists.

  24. Anonymous Coward
    Anonymous Coward

    From the desk?

    What do you mean "from the desk"? Did the teacher have their password and username written down and placed on top of her desk around classes of children?!

    The police may take no against the kid, but the headmaster needs to bring the teacher in for questioning.

  25. Anonymous Coward
    Happy

    Everyday hacking

    LOL, this is far more common than people realise.

    I hacked teacher's administrator passwords for the entire school Novell Netware system. Though I was only 12 at the time. Unlike the 9 year old, other than creating accounts for myself, poking around teachers files, spying and messaging others, I did not do much.

    Aah, those were the days :)

    Oddly enough, in the end I was made one of only two student administrators for many years for the school. Of course, no one knew about my previous hacking...or at least I don't think so!

  26. DirkGently
    Headmaster

    Racist!

    I thought blackboard was banned by the PC brigade... it should be chalkboard. Maybe the child just wanted to alert people of this crime. lol

    1. Anonymous Coward
      Anonymous Coward

      Racism is in the eye of the beholder

      The funny thing is... 'blackboard' never gives me the slightest connotation of racism. I just wouldn't think of it when I see or hear the word.

      Yet 'chalk board' instantly makes me think of Jim Davison.

      Either way, get rid of it and bring back pocket record books with the school/collage crest proudly printed on them and a little margin on each page to allow the secretary to stamp the days you're late!

  27. Anonymous Coward
    Anonymous Coward

    Really intelligent

    Doesn't he watch TV? "They" can always trace you!

    Mine's the one with the newly brought, second-hand laptop currently connected to your WEP protected wifi router that will be chucked of Blackpool pier when I've finished my current "project".

  28. kasparator

    You're all missing the point slightly

    I'm one of the very few people with Blackboard admin accounts in our university. The biger problem is that (if I read the article correctly) tutor's account had administrative priviledges - their system role was that of an admin, which gives you practically unlimited rights on the system.

    Ordinary users can't reset passwords for other Blackboard users, this can only be done by sysadmin or account holders themselves.

    Though we've had our share of Blackboard trouble this specific problem lies with giving sysadmin rights to a numpty, could happen on any system.

    1. I didn't do IT.
      Flame

      Missing the point

      While true on all counts, the fact that this is today's definition of "hacking" is par for the course.

      Someone did something that the original programmer or system builder did not expect (in this case, access by a student). Whether it was the fault of the system security, the school administration, the system administration, or the individual account holder(s) makes no difference.

      We have to sensationalize - however else will we steer the course of popular opinion?!

  29. Will Shaw
    FAIL

    It's a classic example....

    .....of an undocumented ID-10T feature in the meatware manifesting as a POBKAC.

  30. John Smith 19 Gold badge
    Joke

    Write out 100 times

    "I must not write down my password *especially* if I have administrator privileges and people can find it"

    That should fix that little problem.

  31. Jason Togneri
    FAIL

    @ Racism!

    Uh, what? I hope that was a joke. Should we ban the word "black" because it's racist? What about "white"? I can see it now:

    "What are you wearing tonight? It's a very-dark-grey-tie event."

    "My, those clouds look beautiful, they're extremely ultra-light-grey."

    Don't be a retard.

  32. HFoster
    FAIL

    Lack of IT training

    The funny thing is, in a world obsessed with cumputerising every aspect of modern life, so few of the people expected to work with the force-fed technologies are appropriately trained.

    Looking beyond the teacher's SNAFU of leaving their password in plain sight, no ordinary user account should have admin rights, as has been mentioned before. Did the school try to save money by getting Mr Jones the Head of ICT to setup (and consequently fuck-up) the Blackboard system? Or did thy strong-arm the contractors into this foolish account setup?

    Whoever's at fault, their head should roll for this. The fact that a child would get up to mischief with an unsecure password should have been considered from the get-go. Revoke the kid's IT privileges for a few weeks, and fire the idiot who made it possible for his mischief to cause that much disruption.

  33. Pinkerton
    Happy

    Obligatory anecdote...

    Many years ago, whilst doing some work for a school, the head of the IT department told me that they have all their admin passwords in French because, "that way at least the little bastards will learn something if they get hold of them".

This topic is closed for new posts.

Other stories you might like