took?
so they were written down somewhere then.....
tsk tsk, what terrible security. Sound's like teacher needs lessons!
Police hunting a hacker who had attacked a US school's systems found themselves cornering a "very intelligent" 9 year old instead, it has emerged. When passwords for teachers at Spring Hill Elementary, Virginia, were changed without authorisation the school board initially thought a hacker had broken into the school district's …
Agree 10000%
Worked for 2 different schools never want to do it again security is a nightmare.
One Private school system I worked (quit after 5 months from almost losing my sanity) every teacher (principal and the administration also) had the password 12345.Students figured it out after a week and were screwing around. 90% of the teachers added a 6(they had to paste the all hard to remember password of 123456 on their monitor as well), and the principal used the all impossible to guess 54321(also posted on the monitor)... We tried to force them to change passwords to unique things but they complained to the people in charge and we were forced to change the password policies back to allow 12345... The teachers would also log in the student PC's, and never log out...
Our servers were even compromised cause we were FORCED to set 12345 as the login for the administrator account...
I also worked for a college for 3 years 90% of the teachers passwords were the same as their logins(1st initial of 1st name full last name) and they would spell those wrong half the time, and had to have a post it note on their monitor with it...
Although I was 13 at the time. Caught the teacher typing her password into the "Econet" for our BBC model B network, and a few minutes later had super user privilages myself, and a couple of my mates.
It was all fun for us, but looking back a total nightmare for her, as it was impossible for the school to regain control of the network over the next 4 months, resulting in the dept being closed for a week while a contractor sorted the mess out.
In the end we were suspended from IT lessons for a couple of weeks, before being allowed back after the teacher spoke to the head about us knowing more than her about the system. We got to keep our admin privs too, I'm guessing she was trying to steer us into being responsible users rather than us starting to hack the system underground (once we'd got admin privs, we quickly discovered real ways of hacking into the system using timeouts and simple buffer overflows, and even completely random ways like holding down shift, pressing break, releasing break, releasing shift, then half a second later, pressing break again gave you a command prompt with username-less admin rights)
I did the same with the BBC Micro network at school, probably the same time as you, they had recently been upgraded to Econet with a whopping 35 megabyte harddrive!
Security is often too lax at educational institutions, I once managed to delete the login files of a college once without needing to login as an admin, leaving lots of people unable to login.....oops
P.S. anyone fancy a game of Repton 3?
Seeing a password entered or written down isn't a hack. It's just good luck! A proper hack (and a lesson learned the hard way) is like this:
Redirect VDU output to a serial port hooked to a printer in another room. Run mon(itor), which for some reason known only to Acorn dumped all Econet traffic in hex. Wait for teacher to log in, then spend several hours with a calculator and ASCII chart trying to make sense of pages and pages of fanfold spewage, most of which was just lots and lots of hex numbers.
Then, sitting on the dormitory floor, the 13 year old me cried. I actually cried...
*I AM SYST SECRET
The Feds should throw the book at this hacker and make an example of him. It probably cost the school in the region $3 billion and could have significant repercussions on teaching ability further down the line. In fact, the MPAA has probably got involved as well as the RIAA. and they should be suing for loss of revenue that can be directly attributable to this hack.
No doubt his 'mother' will offer a defence based on Aspergers but this should be ignored.
I'd suggest seven to ten in the State Pen. In fact, no, ignore that. Send him to the chair, or at the very least, the naughty step.
Try bottom of their keyboard... The school I work for has at least one teacher who's done this.
Funny thing is no one else seems to know about it. Students are yet to find it, and even a few of the staff in the same faculty don't know about it.
Still, even if that password gets out, they don't have any admin rights on any systems. Normal users should not have rights to change global settings on anything, and admins should be using different accounts for that.
Surely a mistake? It must have cost millions of dollars to re-secure the system. The boy should be extradited to be tried and locked up forever.
What's the world coming to, when someone can log in to a system, have a look around (for UFOs?), make some changes and logout without being sent to the gas chamber?
Of the social engineering type to be exact. When i was this lads age there was a password hint that i got translated by a non IT-minded teacher so i could access the Finder which was protected by apples lockdown tool (whose name i just can't remember).
They changed the password after catching me. The new one didn't have hint, it was the birthday of the main IT teachers daughter though. They never caught me using that one.
> He's a very intelligent 9-year-old,with no criminal intent
Just scratch the "9-year old" part and you get quite a nice definition of "hacker" as it used to be defined before the mass media started calling every eCrim a hacker.
How exactly did the 9 year old get the password? It is not entirely clear whether it was just written down on the teachers desk or whether key-logging or similar was required. In the latter case, I may concede that the kid was clever, but in the former, more likely, case I would say that it was stupidity or naïvité on the part of the teacher. I would also point the finger at whoever set up the system giving teachers administrator access. Why on earth would they need that? With his teacher's account he should have been able to mess around with assessments, but not the passwords of other teachers and enrolment lists.
LOL, this is far more common than people realise.
I hacked teacher's administrator passwords for the entire school Novell Netware system. Though I was only 12 at the time. Unlike the 9 year old, other than creating accounts for myself, poking around teachers files, spying and messaging others, I did not do much.
Aah, those were the days :)
Oddly enough, in the end I was made one of only two student administrators for many years for the school. Of course, no one knew about my previous hacking...or at least I don't think so!
The funny thing is... 'blackboard' never gives me the slightest connotation of racism. I just wouldn't think of it when I see or hear the word.
Yet 'chalk board' instantly makes me think of Jim Davison.
Either way, get rid of it and bring back pocket record books with the school/collage crest proudly printed on them and a little margin on each page to allow the secretary to stamp the days you're late!
I'm one of the very few people with Blackboard admin accounts in our university. The biger problem is that (if I read the article correctly) tutor's account had administrative priviledges - their system role was that of an admin, which gives you practically unlimited rights on the system.
Ordinary users can't reset passwords for other Blackboard users, this can only be done by sysadmin or account holders themselves.
Though we've had our share of Blackboard trouble this specific problem lies with giving sysadmin rights to a numpty, could happen on any system.
While true on all counts, the fact that this is today's definition of "hacking" is par for the course.
Someone did something that the original programmer or system builder did not expect (in this case, access by a student). Whether it was the fault of the system security, the school administration, the system administration, or the individual account holder(s) makes no difference.
We have to sensationalize - however else will we steer the course of popular opinion?!
The funny thing is, in a world obsessed with cumputerising every aspect of modern life, so few of the people expected to work with the force-fed technologies are appropriately trained.
Looking beyond the teacher's SNAFU of leaving their password in plain sight, no ordinary user account should have admin rights, as has been mentioned before. Did the school try to save money by getting Mr Jones the Head of ICT to setup (and consequently fuck-up) the Blackboard system? Or did thy strong-arm the contractors into this foolish account setup?
Whoever's at fault, their head should roll for this. The fact that a child would get up to mischief with an unsecure password should have been considered from the get-go. Revoke the kid's IT privileges for a few weeks, and fire the idiot who made it possible for his mischief to cause that much disruption.